Accessing client certificates from an HTTP Request

Question

I'm attempting to access a client certificate inside my web API from an HTTP request. I'm attaching a certificate as follows:

X509Certificate2 clientCert = GetClientCertificate();   
HttpWebRequest request  = (HttpWebRequest)WebRequest.Create("https://localhost:44366/test");                        
request.KeepAlive = true;
request.Method = "GET";
request.Accept = "application/json";
request.ClientCertificates.Clear();
request.ClientCertificates.Add(clientCert);
var response = (HttpWebResponse) request.GetResponse();  

Where GetClientCertificate() accesses a locally-installed certificate. From inside my WebApi, I have the following route:

[HttpGet]
[Route("test")]
public HttpResponseMessage TestNoAuth()
{
    X509Certificate2 cert = Request.GetClientCertificate();
    return cert == null ? Request.CreateResponse(HttpStatusCode.BadRequest, "No cert") : Request.CreateResponse(HttpStatusCode.OK, "Cert attached");
}                                                              

No matter what I attempt, cert always comes back null. Am I attaching the certificate incorrectly, or trying to access it incorrectly? I've made an entirely new WebAPI with just this route for testing, to ensure there are no conflicting settings that might have been present in our development API. Any help would be greatly appreciated.

Answer 1

Make sure your web.config correctly sets sslFlags to SslNegotiateCert:

  <system.webServer>
    <security>
        <access sslFlags="SslNegotiateCert" />
    </security>
  </system.webServer>

Without this setting any certificate attached to the request will be ignored, see this for details.

There is a great series of articles about using client certificates in .NET by Andras Nemes. In this one it's described in detail how to setup client certificats for local test usage.