Could not create SSL/TLS secure channel works on winforms but not in asp.net

Question

I have a web service which I have registered via "add service reference" that requires HTTPS and a certificate. Below is my code for instantiating my service:

        service = new MyReferencedWebService();

        X509Certificate2 cert = new X509Certificate2();

        var stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("Mycert.cer");
        var bytes = new byte[stream.Length];

        stream.Read(bytes, 0, bytes.Length);

        cert.Import(bytes, MYPASSWORD, X509KeyStorageFlags.DefaultKeySet);

        service.ClientCredentials.ClientCertificate.Certificate = cert;

and my config looks like this:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="RecordGeneratorWebServiceSoapHttp">
                <security mode="Transport">
                    <transport clientCredentialType="Certificate" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://mywebserviceurl"
            binding="basicHttpBinding" bindingConfiguration="RecordGeneratorWebServiceSoapHttp"
            contract="MyService.RecordGeneratorWebServiceInterface"
            name="RecordGeneratorWebServicePort" />
    </client>
</system.serviceModel>

If I create a simple winforms .exe and use the above code I get a response from my web service. However, if I put this same code in ASP.NET I get the following:

The request was aborted: Could not create SSL/TLS secure channel.

How do I make this work in ASP.NET?

EDIT: I should add. The client certificate that I am using is tied to a smart card and requires a PIN to be entered for use. Not sure if that makes any difference or not.

When a client logs into the application it prompts them for their certificate PIN. In this case they have a CAC card inserted into a CAC reader. So maybe I can somehow use the Request.ClientCertificate?

Answer 1

What is your plan here? In other words:

Who is going to be entering the PIN? Who is going to be inserting a smart card?

You cannot establish the secure channel between the ASP.NET web server and the web service without the smart card and the pin, because the client (i.e. the ASP.NET web server) must access the private key on the smart card (and needs the pin to do that). I fear the only way you're going to get this to work is to get that entire certificate (including the private key) off of the smart card (which should be very difficult if not impossible by design).

Your best course of action is to:

A) Request a "server certificate" (non smart-card) that can be used as the client certificate for the channel between the ASP.NET web server and the target web service.

or

B) Re-architect your solution so that the clients (the folks who have the smart cards and the pins) access the secure web service directly using their smart card and PIN.