Re: ClientCertificates and IIS5 with https://localhost

From: Michel Gallant (neutron_at_istar.ca)
Date: 03/27/05

  • Next message: Michel Gallant: "Re: ClientCertificates and IIS5 with https://localhost" 
    Date: Sat, 26 Mar 2005 20:08:00 -0500

    I have done more testing on this and I'm almost certain the problem
    is with a .NET 1.1 console application trying to negotiate the SSL handshake for
    client-certificate and access to the associated private key in the CU /MY store.
    I tried also using openssl SSL server and same client cert:
      openssl s_server -accept 443 -cert server.pem -Verify 2 -WWW
    with essentially identical (failed to provide client certificate) results.
    The .NET client console app refuses to send a certificate (yet, IE 6 running
    on same machine, using SAME client certificate, works fine with
    either IIS 5 or Openssl running as SSL servers requiring client certs.

    Also tried moving the client cert/key to the LM / MY store, but still no success.
    Also, installed fresh .NET 1.1 runtime on a clean XP sp2 system, imported from pfx
    the same client cert/key into CU / MY store and ran the same .NET 1.1 client app
    again .. still same problem.

    Is there some issue with user profile or impersonation when using a .NET 1.1
    console application? The following article discusses this, but for asp.net
    applications which is different :
      http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod27.asp

    Here is a very simple .NET 1.1 SSL client code:
       http://www.jensign.com/cryptodev/clientcert.txt

    Any suggestions on changes? Can someone else compile and test this against an SSL server?

    Thanks,
     - Mitch

    "Michel Gallant" <neutron@istar.ca> wrote in message news:%23IxS2ZYMFHA.1268@TK2MSFTNGP14.phx.gbl...
    > I have seen a number of postings with problems similar to this:
    >
    > W2k Pro sp4 fully patched
    > IIS 5 web service: ssl enabled; requiring client certificates
    > Running on same machine as client
    >
    > Client .NET 1.1 console application in C#:
    > (certfile is also a valid certificate in CU MY store .. with associated private key available)
    >
    > .....
    > X509Certificate jscert = X509Certificate.CreateFromCertFile(certfile);
    > HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
    > req.ClientCertificates.Add(jscert);
    > HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
    > ... stream response
    >
    > the url is specified as https://localhost/somwebpage
    >
    > but the C# client console application, running as current user, does not appear to have access to
    > the private key and the SSL negotation for client certificate fails:
    >
    > System.Net.WebException: The remote server returned an error: (403) Forbidden.
    >
    > If I change the host name from "localhost" so "<mymachinename>" (as suggested by a previous
    > posting) there error message changes to:
    >
    > System.Net.WebException: The underlying connection was closed: Could not establi sh trust relationship with remote server.
    >
    > HOWEVER, exactly the same url, accessed from same machine and user context
    > with IE6 browser does properly raise the private key password access for same certificate.
    >
    > Any ideas? I haven't explicitly imported my certificate/pvk into the LocalMachine store (yet)
    > but I understand that .NET 1.1 implementation of req.GetResponse() when an SSL client cert
    > negotation is required is to (internally) check BOTH CU and LM stores for certificates-with-private-keys
    > matching the certificate file specified in CreateFromCertFile(certfile).
    >
    > Are there any TEST SSL servers on the Internet which require client certificate authentication?
    >
    > - Mitch Gallant
    >
    >

  • Next message: Michel Gallant: "Re: ClientCertificates and IIS5 with https://localhost"

    Relevant Pages

    • SSL accelerators and client certificate authentication
      ... SSL client certificate-based authentication for access to sensitive areas. ... to the web server during the initial SSL handshake; ... as the client certificate is not passed ...
      (Security-Basics)
    • Re: Disable requesting client certificate when running in SSL
      ... > I actually do have a client cert, so I should be able to find a way to ... >> far enough for me to be able to see the client certificate request ... >> Where IIS makes use of SSL I thought the options for request client ...
      (microsoft.public.windows.server.active_directory)
    • Re: HttpWebRequest & SSL problems
      ... A client certificate is used to ... >> ensure the client is authentic. ... > did have a server trusted root cert we installed on the client before ... > Can HttpWebRequest connect directly to an SSL with no problems? ...
      (microsoft.public.dotnet.framework)
    • Re: Disable requesting client certificate when running in SSL
      ... would authenticate the client as he connects over SSL. ... >>> far enough for me to be able to see the client certificate request ...
      (microsoft.public.windows.server.active_directory)
    • Re: How To pass client certificate to an XML Web service using aspx
      ... >From aspx you can get SSL client bin der cert using: ... > How can we pass client certificate to webservice using aspx. ... > To work with console application, I installed the certificate on my machine ...
      (microsoft.public.dotnet.security)