Re: Client Certificate not reaching server

From: ek03 (ek03_at_discussions.microsoft.com)
Date: 10/20/04


Date: Wed, 20 Oct 2004 04:15:06 -0700

What store will be searched for the private key? I am having the same issue
-- i.e. adding the clientCertificate to the request object but it is not
being sent in the actual request. I do have a private key installed. The
certificate is in the Local Computer/Personal store on the client machine.

Thanks.

"Joe Kaplan (MVP - ADSI)" wrote:

> What happens is that when you attach the client certificate to your request,
> the underlying code will try to find the private key for that certificate in
> a key store on your machine. If it finds the key, then it can do client
> certificate authentication. If it can't then client certificate
> authentication doesn't work.
>
> This is what you are seeing. You are adding a certificate to the request
> but don't have the private key, so the client code fails to find it and
> doesn't try to do client certificate authentication with the server. Thus
> the server doesn't see a client certificate from the request.
>
> When you think about this, it makes sense. If a client certificate can be
> used for authentication, then it would make sense that you would need to
> have the private key to prove that certificate is yours. The certificate is
> public data, so it can't be used to prove your identity by itself.
>
> The larger question I have is if you need to just use SSL with the server
> certificate or if they really want you to do client authentication. Is the
> cert they gave you for your client or for the server?
>
> Joe K.
>
> "NRao" <NRao@discussions.microsoft.com> wrote in message
> news:0315A66B-CFA7-481C-AD9F-044A3DD4A3FD@microsoft.com...
> > Joe,
> >
> > Thank you very much. you explained it very well. But still have doubt. If
> > you can explain this that really helps me lot.
> >
> > I have added certificate from file as bellow. When I see the webReq object
> > in quickwatch it shows valid certificate.
> >
> > X509Certificate clientCertificate =
> > X509Certificate.CreateFromCertFile(CERT);
> > webReq.ClientCertificates.Add( clientCertificate );
> >
> > Then I sent the request. On server I look at the
> > Request.ClientCertificates.
> > There is no certificate. My question is even it is invalid certificate it
> > should be present on the server. Right? What happened to the certificate I
> > attached. Request ignored that?
> >
> >
> >
> >
> > "NRao" wrote:
> >
> >> Hello Everbody,
> >>
> >> I have a class lib which is accessing a .aspx on web through
> >> httpwebrequest
> >> and sending xml through post method. Server people provided me a .cer
> >> file. I
> >> am adding that certificate file to httpwebrequest. But their side they do
> >> not
> >> find the certificate. I tried following ways
> >>
> >> 1) Convert the .cer file into binary
> >>
> >> 2) Imported the .cer file into Certificate store(localcomputer/current
> >> user)
> >> and exported the certificate into DER format .cer file and tried
> >> CreateFromCertFile() method.
> >>
> >> Can anybody please point right way
> >>
> >> Also I have few questions.
> >> 1) what preventing the certificate to reach server?
> >> 2)I added the certificate to httpwebrequest and sent to my test site and
> >> there I checked Request.ClientCertificate.IsPresent. But I always get
> >> false.
> >> Why So? Even if it is not valid certificate should present. right?
> >>
>
>
>



Relevant Pages

  • Re: Client certificate private key prompt
    ... this when they need to make sure that no request every goes as anonymous. ... Upgrading the client to W2K3 will not solve the two prompt issue. ... the private key. ...
    (microsoft.public.dotnet.framework)
  • RE: Unable to unwrap a symmetric key using the private key of an X.509
    ... When I create my own certificate and install it in the stores, ... my client application that is consuming my WSE enabled webservice receives ... <request signatureOptions="IncludeAddressing, IncludeTimestamp, ... <response signatureOptions="IncludeAddressing, IncludeTimestamp, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Unable to authenticate via kerberos to IIS site accepting clie
    ... the dialog for selecting a certificate, IE accesses the page with integrated ... authenticated user" have no relation to the size of the request. ... Client Certificates are negotiated before server even sees the data, ... and Kerberos protocol of Integrated Authentication can affect the size ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 6.0 SSL Certificate Difficulties
    ... that is just a plain text file with encrypted detail of your server detail. ... do you export the private key as well? ... > certificate from the IIS Snap-in it says that "You have a private key that ... > Another symptom is that when we create the request on the 2003 server, ...
    (microsoft.public.inetserver.iis)
  • Re: Client Certificates
    ... I hope you are talking about exporting the pfx file on the CLIENT machine ... The way PKI certificate generation usually works is the following: ... - CA signs that information (i.e. encrypts the hash of that info with its own private key) ...
    (microsoft.public.security)