ClientCertificates and IIS5 with https://localhost

From: Michel Gallant (neutron_at_istar.ca)
Date: 03/25/05

  • Next message: Paul Glavich [MVP ASP.NET]: "Re: ASP.NET security for a combined intranet/Internet site" 
    Date: Fri, 25 Mar 2005 17:03:42 -0500

    I have seen a number of postings with problems similar to this:

    W2k Pro sp4 fully patched
    IIS 5 web service: ssl enabled; requiring client certificates
    Running on same machine as client

    Client .NET 1.1 console application in C#:
     (certfile is also a valid certificate in CU MY store .. with associated private key available)

     .....
     X509Certificate jscert = X509Certificate.CreateFromCertFile(certfile);
     HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
     req.ClientCertificates.Add(jscert);
     HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
     ... stream response

    the url is specified as https://localhost/somwebpage

    but the C# client console application, running as current user, does not appear to have access to
    the private key and the SSL negotation for client certificate fails:

    System.Net.WebException: The remote server returned an error: (403) Forbidden.

    If I change the host name from "localhost" so "<mymachinename>" (as suggested by a previous
    posting) there error message changes to:

    System.Net.WebException: The underlying connection was closed: Could not establi sh trust relationship with remote server.

    HOWEVER, exactly the same url, accessed from same machine and user context
    with IE6 browser does properly raise the private key password access for same certificate.

    Any ideas? I haven't explicitly imported my certificate/pvk into the LocalMachine store (yet)
    but I understand that .NET 1.1 implementation of req.GetResponse() when an SSL client cert
    negotation is required is to (internally) check BOTH CU and LM stores for certificates-with-private-keys
    matching the certificate file specified in CreateFromCertFile(certfile).

    Are there any TEST SSL servers on the Internet which require client certificate authentication?

    - Mitch Gallant

  • Next message: Paul Glavich [MVP ASP.NET]: "Re: ASP.NET security for a combined intranet/Internet site"

    Relevant Pages

    • Re: MOD_SSL and MOD_AUTH_OPENVMS
      ... ## for proper server startup. ... ## SSL Support ... # List the ciphers that the client is permitted to negotiate. ... # Point SSLCertificateFile at a PEM encoded certificate. ...
      (comp.os.vms)
    • Re: Using SSL with IIS 5.0 - how does it work.
      ... Description of the Secure Sockets Layer (SSL) Handshake ... username and password when users authenticates to server (e.g. to check ... his/her e-mail) (client sends this data to the server) ... If you want your users to trust your SSL certificate ...
      (microsoft.public.inetserver.iis.security)
    • Re: OpenSSL read/write timeouts
      ... This is an example of a SSL client with minimum functionality. ... This SSL client verifies the server's certificate against the ... the SSL server does not request & verify the client ...
      (comp.os.vms)
    • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
      ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: stunnel, OpenSSL, certificates, etc. [was: SMTP server or "forwarding"?]
      ... Is there a way to find a server that might be there but I ... The client side of this is built into many email ... > how the ssl stuff works. ... Does the client need to have the certificate ...
      (Fedora)