Re: Client Certificate not reaching server

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/13/04


Date: Wed, 13 Oct 2004 14:32:44 -0500

What happens is that when you attach the client certificate to your request,
the underlying code will try to find the private key for that certificate in
a key store on your machine. If it finds the key, then it can do client
certificate authentication. If it can't then client certificate
authentication doesn't work.

This is what you are seeing. You are adding a certificate to the request
but don't have the private key, so the client code fails to find it and
doesn't try to do client certificate authentication with the server. Thus
the server doesn't see a client certificate from the request.

When you think about this, it makes sense. If a client certificate can be
used for authentication, then it would make sense that you would need to
have the private key to prove that certificate is yours. The certificate is
public data, so it can't be used to prove your identity by itself.

The larger question I have is if you need to just use SSL with the server
certificate or if they really want you to do client authentication. Is the
cert they gave you for your client or for the server?

Joe K.

"NRao" <NRao@discussions.microsoft.com> wrote in message
news:0315A66B-CFA7-481C-AD9F-044A3DD4A3FD@microsoft.com...
> Joe,
>
> Thank you very much. you explained it very well. But still have doubt. If
> you can explain this that really helps me lot.
>
> I have added certificate from file as bellow. When I see the webReq object
> in quickwatch it shows valid certificate.
>
> X509Certificate clientCertificate =
> X509Certificate.CreateFromCertFile(CERT);
> webReq.ClientCertificates.Add( clientCertificate );
>
> Then I sent the request. On server I look at the
> Request.ClientCertificates.
> There is no certificate. My question is even it is invalid certificate it
> should be present on the server. Right? What happened to the certificate I
> attached. Request ignored that?
>
>
>
>
> "NRao" wrote:
>
>> Hello Everbody,
>>
>> I have a class lib which is accessing a .aspx on web through
>> httpwebrequest
>> and sending xml through post method. Server people provided me a .cer
>> file. I
>> am adding that certificate file to httpwebrequest. But their side they do
>> not
>> find the certificate. I tried following ways
>>
>> 1) Convert the .cer file into binary
>>
>> 2) Imported the .cer file into Certificate store(localcomputer/current
>> user)
>> and exported the certificate into DER format .cer file and tried
>> CreateFromCertFile() method.
>>
>> Can anybody please point right way
>>
>> Also I have few questions.
>> 1) what preventing the certificate to reach server?
>> 2)I added the certificate to httpwebrequest and sent to my test site and
>> there I checked Request.ClientCertificate.IsPresent. But I always get
>> false.
>> Why So? Even if it is not valid certificate should present. right?
>>



Relevant Pages

  • Re: IIS 6.0 SSL Certificate Difficulties
    ... that is just a plain text file with encrypted detail of your server detail. ... do you export the private key as well? ... > certificate from the IIS Snap-in it says that "You have a private key that ... > Another symptom is that when we create the request on the 2003 server, ...
    (microsoft.public.inetserver.iis)
  • RE: SIMple SSL question ??
    ... OK - i would also delete a cert request file lying around. ... But a certificate is a pub key + extra info. ... That said - if someone compromises the server he will also find a way to retrieve the private key. ... traffic between the initial web server and the client. ...
    (microsoft.public.dotnet.security)
  • Re: Problems enabling SSL on AD
    ... Something got hosed between the request for the certificate and the actual ... You probably have the private key on your machine somewhere ... so Windows doesn't know that the cert ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem processing SSL certificate response.
    ... "Download SSL Diagnostics 1.1 from Microsoft.com and use it to diagnose ... I know why SSL isn't working: there isn't a private key. ... Note that I am able to work around this by requesting/processing a request ... transfering the generated PFX into the certificate store on the IIS machine. ...
    (microsoft.public.inetserver.iis.security)
  • RE: 3rd Party Certificate Pending Request not found
    ... This request may be canceled. ... After much trial and tribulation the 3rd party GoDaddy certificate started ... You are attempting to install a certificate that does not match the private ... If you have a backup of the private key, you can install the certificate via ...
    (microsoft.public.windows.server.sbs)