Multiple certificates with HttpClient

Question

I am building a Windows Phone 8.1 app which allows Azure users to view their subscription/services using the Azure Service Management API. The authentication is done using the management certificate and the certificate is attached to all the requests to the API. It works fine for a single user. But the problem arises when I try to include a feature for multiple subscriptions. I am able to install the certificate in the certificate store and retrieve it. But the problem arises when I send the request to the API. Even though I am attaching the correct certificate, I get a 403 forbidden error. Here is the code I've used.

public async Task<Certificate> GetCertificate()
{
          await CertificateEnrollmentManager.ImportPfxDataAsync(Certificate, "", ExportOption.Exportable, KeyProtectionLevel.NoConsent, InstallOptions.None, SubscriptionID);
          CertificateQuery query = new CertificateQuery();
          query.FriendlyName = SubscriptionID;
          var c = await CertificateStores.FindAllAsync(query);
          return c[0];
}

public async Task<HttpResponseMessage> SendRequest(string url,string version)
{
        HttpResponseMessage response = null;
        try
        {
            HttpBaseProtocolFilter filter = new HttpBaseProtocolFilter();
            filter.ClientCertificate = await GetCertificate();
            HttpClient client = new HttpClient(filter);
            HttpRequestMessage request = new HttpRequestMessage();
            request.RequestUri = new Uri(url);
            request.Headers.Add("x-ms-version", version);
            response = await client.SendRequestAsync(request, 0);
            return response;
        }
        catch(Exception e)
        {
            var status=Windows.Web.WebError.GetStatus(e.HResult);
            if (status == WebErrorStatus.CannotConnect)
                throw new Exception("Cannot connect to internet. Check your connection.");
            else if (status == WebErrorStatus.Disconnected)
                throw new Exception("Connection was disconnected.");
            else if (status == WebErrorStatus.ServiceUnavailable)
                throw new Exception("Server was unavailable");
            else if (status == WebErrorStatus.ConnectionReset)
                throw new Exception("Connection was reset.");
            else if (status == WebErrorStatus.BadGateway)
                throw new Exception("Bad gateway.");
            else if (status == WebErrorStatus.InternalServerError)
                throw new Exception("Internal server error occurred");
            else if (status == WebErrorStatus.HostNameNotResolved)
                throw new Exception("Check your network connection. Host name could not be resolved.");
        }
        return response;

 }

Does the Windows Phone OS have restrictions on certificates for an app?

Answer 1

While not really directly answering how to deal with your certificate issue, I would suggest you a workaround that would work even better.

Use the OAuth authorization with Bearer token and Azure AD authentication for the Service API, instead of the certificates.

Thus, instead of managing multiple certificates, you would just use ADAL to get a token from the Azure AD. And the single token you receive will be valid for all the subscriptions the user has access to.

You can read more on authenticating service management API calls with Azure AD here.

And you can learn more about using ADAL with Windows Phone app here.

You grant your native client application access to Azure Service Management API: