Re: Client Certificate not reaching server

From: ek03 (ek03_at_discussions.microsoft.com)
Date: 10/20/04 

Date: Wed, 20 Oct 2004 08:39:14 -0700

The certificate is in the machine store - //machine-name/Personal...

"Joe Kaplan (MVP - ADSI)" wrote:

> Personal stores go by user account, so you need to make sure that the
> certificate is stored in the personal store of the identity that will be
> running the code. You can also use the machine store to place the keys,
> which might work better in your situation.
>
> Joe K.
>
> "ek03" <ek03@discussions.microsoft.com> wrote in message
> news:9F310CFD-375D-4C27-B6B4-90DE6D0E6074@microsoft.com...
> > What store will be searched for the private key? I am having the same
> > issue
> > -- i.e. adding the clientCertificate to the request object but it is not
> > being sent in the actual request. I do have a private key installed. The
> > certificate is in the Local Computer/Personal store on the client machine.
> >
> > Thanks.
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> What happens is that when you attach the client certificate to your
> >> request,
> >> the underlying code will try to find the private key for that certificate
> >> in
> >> a key store on your machine. If it finds the key, then it can do client
> >> certificate authentication. If it can't then client certificate
> >> authentication doesn't work.
> >>
> >> This is what you are seeing. You are adding a certificate to the request
> >> but don't have the private key, so the client code fails to find it and
> >> doesn't try to do client certificate authentication with the server.
> >> Thus
> >> the server doesn't see a client certificate from the request.
> >>
> >> When you think about this, it makes sense. If a client certificate can
> >> be
> >> used for authentication, then it would make sense that you would need to
> >> have the private key to prove that certificate is yours. The certificate
> >> is
> >> public data, so it can't be used to prove your identity by itself.
> >>
> >> The larger question I have is if you need to just use SSL with the server
> >> certificate or if they really want you to do client authentication. Is
> >> the
> >> cert they gave you for your client or for the server?
> >>
> >> Joe K.
> >>
> >> "NRao" <NRao@discussions.microsoft.com> wrote in message
> >> news:0315A66B-CFA7-481C-AD9F-044A3DD4A3FD@microsoft.com...
> >> > Joe,
> >> >
> >> > Thank you very much. you explained it very well. But still have doubt.
> >> > If
> >> > you can explain this that really helps me lot.
> >> >
> >> > I have added certificate from file as bellow. When I see the webReq
> >> > object
> >> > in quickwatch it shows valid certificate.
> >> >
> >> > X509Certificate clientCertificate =
> >> > X509Certificate.CreateFromCertFile(CERT);
> >> > webReq.ClientCertificates.Add( clientCertificate );
> >> >
> >> > Then I sent the request. On server I look at the
> >> > Request.ClientCertificates.
> >> > There is no certificate. My question is even it is invalid certificate
> >> > it
> >> > should be present on the server. Right? What happened to the
> >> > certificate I
> >> > attached. Request ignored that?
> >> >
> >> >
> >> >
> >> >
> >> > "NRao" wrote:
> >> >
> >> >> Hello Everbody,
> >> >>
> >> >> I have a class lib which is accessing a .aspx on web through
> >> >> httpwebrequest
> >> >> and sending xml through post method. Server people provided me a .cer
> >> >> file. I
> >> >> am adding that certificate file to httpwebrequest. But their side they
> >> >> do
> >> >> not
> >> >> find the certificate. I tried following ways
> >> >>
> >> >> 1) Convert the .cer file into binary
> >> >>
> >> >> 2) Imported the .cer file into Certificate store(localcomputer/current
> >> >> user)
> >> >> and exported the certificate into DER format .cer file and tried
> >> >> CreateFromCertFile() method.
> >> >>
> >> >> Can anybody please point right way
> >> >>
> >> >> Also I have few questions.
> >> >> 1) what preventing the certificate to reach server?
> >> >> 2)I added the certificate to httpwebrequest and sent to my test site
> >> >> and
> >> >> there I checked Request.ClientCertificate.IsPresent. But I always get
> >> >> false.
> >> >> Why So? Even if it is not valid certificate should present. right?
> >> >>
> >>
> >>
> >>
>
>
>

Relevant Pages

  • AcquireCredentialsHandle (Schannel) -- please HELP!
    ... I create a certificate programmatically in the LOCAL MACHINE store ... Now I can access the private key of the newly created certificate by ... if I create the same certificate in the CURRENT USER store, ...
    (microsoft.public.platformsdk.security)
  • RE: CryptAcquireContext failed. This CSP cannot be opened in silent mo
    ... template which is required in order to set the router (offline request) to be ... checkbox to store it in the machine store just doesn't work (posts online ... PPTP VPN tunnel using EAP-TLS certificate based authentication. ... new client cert for the Windows 2003 Std box but it didn't help. ...
    (microsoft.public.windows.server.networking)
  • Re: HttpWebRequest failure with TLS
    ... No Schannel error on the client credential creation? ... properly trust the client certificate or there is a configuration issue on ... > Machine store, ... > should always have access to the Current User store. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: 403: Forbidden when sending client certificate to remove web servi
    ... On Windows Server 2003, when the certificate was imported into the local ... checking via a local user account to access the data. ... Ensured that the Certificate was in the Local Machine Store Personal ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: ASP.NET / certificat
    ... I think everything is ok in the machine store. ... But I ask me some question about ASP.NET application access rights ... > the certificate and private key into the personal store. ...
    (microsoft.public.dotnet.framework.aspnet.security)