Re: Client Certificate not reaching server
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 12/16/04
- Next message: Nayana: "ActiveX component error"
- Previous message: splap: "Re: Client Certificate not reaching server"
- In reply to: splap: "Re: Client Certificate not reaching server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 15 Dec 2004 17:43:22 -0600
As I've said before, I'm not the definitive guy to ask to solve this
problem. I just know how to recognize it.
The impersonation might not work because the user's profile isn't loaded
when you impersonate. I think the machine store thing is the way to go.
However, like I said, I'm not the guru with fixing this, so I'm not sure
about the exact steps.
Joe K.
"splap" <splap20@gmail.com> wrote in message
news:1103153237.973231.97320@c13g2000cwb.googlegroups.com...
>I have the same issue. My client cert is installed in the Local
> Machine's personal store and when I attach my .cer file (containing
> public key) the web request is failing to find the private key in the
> cert store. I have tried impersonating a custom 'asp user' who had the
> cert in their personal store too. No Luck.
>
> ek03 wrote:
>> The certificate is in the machine store - //machine-name/Personal...
>>
>> "Joe Kaplan (MVP - ADSI)" wrote:
>>
>> > Personal stores go by user account, so you need to make sure that
> the
>> > certificate is stored in the personal store of the identity that
> will be
>> > running the code. You can also use the machine store to place the
> keys,
>> > which might work better in your situation.
>> >
>> > Joe K.
>> >
>> > "ek03" <ek03@discussions.microsoft.com> wrote in message
>> > news:9F310CFD-375D-4C27-B6B4-90DE6D0E6074@microsoft.com...
>> > > What store will be searched for the private key? I am having the
> same
>> > > issue
>> > > -- i.e. adding the clientCertificate to the request object but it
> is not
>> > > being sent in the actual request. I do have a private key
> installed. The
>> > > certificate is in the Local Computer/Personal store on the client
> machine.
>> > >
>> > > Thanks.
>> > >
>> > > "Joe Kaplan (MVP - ADSI)" wrote:
>> > >
>> > >> What happens is that when you attach the client certificate to
> your
>> > >> request,
>> > >> the underlying code will try to find the private key for that
> certificate
>> > >> in
>> > >> a key store on your machine. If it finds the key, then it can
> do client
>> > >> certificate authentication. If it can't then client certificate
>> > >> authentication doesn't work.
>> > >>
>> > >> This is what you are seeing. You are adding a certificate to
> the request
>> > >> but don't have the private key, so the client code fails to find
> it and
>> > >> doesn't try to do client certificate authentication with the
> server.
>> > >> Thus
>> > >> the server doesn't see a client certificate from the request.
>> > >>
>> > >> When you think about this, it makes sense. If a client
> certificate can
>> > >> be
>> > >> used for authentication, then it would make sense that you would
> need to
>> > >> have the private key to prove that certificate is yours. The
> certificate
>> > >> is
>> > >> public data, so it can't be used to prove your identity by
> itself.
>> > >>
>> > >> The larger question I have is if you need to just use SSL with
> the server
>> > >> certificate or if they really want you to do client
> authentication. Is
>> > >> the
>> > >> cert they gave you for your client or for the server?
>> > >>
>> > >> Joe K.
>> > >>
>> > >> "NRao" <NRao@discussions.microsoft.com> wrote in message
>> > >> news:0315A66B-CFA7-481C-AD9F-044A3DD4A3FD@microsoft.com...
>> > >> > Joe,
>> > >> >
>> > >> > Thank you very much. you explained it very well. But still
> have doubt.
>> > >> > If
>> > >> > you can explain this that really helps me lot.
>> > >> >
>> > >> > I have added certificate from file as bellow. When I see the
> webReq
>> > >> > object
>> > >> > in quickwatch it shows valid certificate.
>> > >> >
>> > >> > X509Certificate clientCertificate =
>> > >> > X509Certificate.CreateFromCertFile(CERT);
>> > >> > webReq.ClientCertificates.Add( clientCertificate );
>> > >> >
>> > >> > Then I sent the request. On server I look at the
>> > >> > Request.ClientCertificates.
>> > >> > There is no certificate. My question is even it is invalid
> certificate
>> > >> > it
>> > >> > should be present on the server. Right? What happened to the
>> > >> > certificate I
>> > >> > attached. Request ignored that?
>> > >> >
>> > >> >
>> > >> >
>> > >> >
>> > >> > "NRao" wrote:
>> > >> >
>> > >> >> Hello Everbody,
>> > >> >>
>> > >> >> I have a class lib which is accessing a .aspx on web through
>> > >> >> httpwebrequest
>> > >> >> and sending xml through post method. Server people provided
> me a .cer
>> > >> >> file. I
>> > >> >> am adding that certificate file to httpwebrequest. But their
> side they
>> > >> >> do
>> > >> >> not
>> > >> >> find the certificate. I tried following ways
>> > >> >>
>> > >> >> 1) Convert the .cer file into binary
>> > >> >>
>> > >> >> 2) Imported the .cer file into Certificate
> store(localcomputer/current
>> > >> >> user)
>> > >> >> and exported the certificate into DER format .cer file and
> tried
>> > >> >> CreateFromCertFile() method.
>> > >> >>
>> > >> >> Can anybody please point right way
>> > >> >>
>> > >> >> Also I have few questions.
>> > >> >> 1) what preventing the certificate to reach server?
>> > >> >> 2)I added the certificate to httpwebrequest and sent to my
> test site
>> > >> >> and
>> > >> >> there I checked Request.ClientCertificate.IsPresent. But I
> always get
>> > >> >> false.
>> > >> >> Why So? Even if it is not valid certificate should present.
> right?
>> > >> >>
>> > >>
>> > >>
>> > >>
>> >
>> >
>> >
>
- Next message: Nayana: "ActiveX component error"
- Previous message: splap: "Re: Client Certificate not reaching server"
- In reply to: splap: "Re: Client Certificate not reaching server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
