Re: ClientCertificates and IIS5 with https://localhost

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 03/28/05 

Date: Mon, 28 Mar 2005 08:40:25 -0600

I would also be curious to find out whether it is really possible to get 1.1
SP1 to allow a client certificate to be used from the machine store. Based
on my examination of the code, it would appear that the prevalidation of
client certificates only runs against the MY store.

Can anyone verify?

Joe K.

"Michel Gallant" <neutron@istar.ca> wrote in message
news:%239o4AZwMFHA.508@TK2MSFTNGP12.phx.gbl...
> With the kind help of Joe Kaplan, I think we have made some
> progress on this problem. Joe was looking at .NET code with
> Reflector and noticed that the CryptAcquireCertificatePrivateKey()
> call was using a "silent" flag!
>
> This suggested that a call to access a client cert with *Strong*
> protection
> (i.e. password protected access via DPAPI to private key) would fail.
> So, I removed my client cert from CU / MY store (which I always protect
> with
> Strong import protection) and reimported without the extra pswd protection
> and
> VOILA ... the .NET client works properly.
>
> So, the upshot of this is that it appears that the .NET 1.1 sp1 underlying
> class
> implementation of the following code, for a SSL request to an SSL server
> requiring client-certificate :
>
> req.ClientCertificates.Add(jscert);
> resp = (HttpWebResponse)req.GetResponse();
>
> will fail, if the private key access for jscert is password protected
> (i.e. Strong
> protection on import).
> It is easy to understand why this may have been implemented (for asp.net
> processes where
> no UI is available).
> Further, the client cert (and matching private key) must be loaded to the
> Current User
> store (and NOT the Local Machine store).
>
> So this clearly calls for better documentation on the
> ClientCertificates.Add and
> HttpWebResponse.GetResponse() methods for the case of SSL with required
> client
> certificates. Specifically, how the .NET underlying implementation has
> changed
> with release level:
>
> .NET 1.0
> .NET 1.1
> .NET 1.1 sp1
> .NET 2.0 beta
>
> I noticed via google searches that some earlier postings *did* report
> seeing the password
> dialogs. So it would be interesting to note what .NET fcl those were
> using .. e.g.
> http://groups-beta.google.com/group/microsoft.public.dotnet.framework/browse_frm/thread/2b51994cc7d4e9b4/732dc492b164eb31?q=ClientCertificates++HttpWebResponse+group:microsoft.public.dotnet.*&rnum=5#732dc492b164eb31
>
> Cheers,
> - Mitch Gallant
> MVP Security
> www.jensign.com
>
>
> "Michel Gallant" <neutron@istar.ca> wrote in message
> news:uIIhdlmMFHA.1392@TK2MSFTNGP10.phx.gbl...
>> I have done more testing on this and I'm almost certain the problem
>> is with a .NET 1.1 console application trying to negotiate the SSL
>> handshake for
>> client-certificate and access to the associated private key in the CU /MY
>> store.
>> I tried also using openssl SSL server and same client cert:
>> openssl s_server -accept 443 -cert server.pem -Verify 2 -WWW
>> with essentially identical (failed to provide client certificate)
>> results.
>> The .NET client console app refuses to send a certificate (yet, IE 6
>> running
>> on same machine, using SAME client certificate, works fine with
>> either IIS 5 or Openssl running as SSL servers requiring client certs.
>>
>> Also tried moving the client cert/key to the LM / MY store, but still no
>> success.
>> Also, installed fresh .NET 1.1 runtime on a clean XP sp2 system,
>> imported from pfx
>> the same client cert/key into CU / MY store and ran the same .NET 1.1
>> client app
>> again .. still same problem.
>>
>> Is there some issue with user profile or impersonation when using a .NET
>> 1.1
>> console application? The following article discusses this, but for
>> asp.net
>> applications which is different :
>>
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod27.asp
>>
>> Here is a very simple .NET 1.1 SSL client code:
>> http://www.jensign.com/cryptodev/clientcert.txt
>>
>> Any suggestions on changes? Can someone else compile and test this
>> against an SSL server?
>>
>> Thanks,
>> - Mitch
>>
>> "Michel Gallant" <neutron@istar.ca> wrote in message
>> news:%23IxS2ZYMFHA.1268@TK2MSFTNGP14.phx.gbl...
>> > I have seen a number of postings with problems similar to this:
>> >
>> > W2k Pro sp4 fully patched
>> > IIS 5 web service: ssl enabled; requiring client certificates
>> > Running on same machine as client
>> >
>> > Client .NET 1.1 console application in C#:
>> > (certfile is also a valid certificate in CU MY store .. with
>> > associated private key available)
>> >
>> > .....
>> > X509Certificate jscert = X509Certificate.CreateFromCertFile(certfile);
>> > HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
>> > req.ClientCertificates.Add(jscert);
>> > HttpWebResponse resp = (HttpWebResponse)req.GetResponse();
>> > ... stream response
>> >
>> > the url is specified as https://localhost/somwebpage
>> >
>> > but the C# client console application, running as current user, does
>> > not appear to have access to
>> > the private key and the SSL negotation for client certificate fails:
>> >
>> > System.Net.WebException: The remote server returned an error: (403)
>> > Forbidden.
>> >
>> > If I change the host name from "localhost" so "<mymachinename>" (as
>> > suggested by a previous
>> > posting) there error message changes to:
>> >
>> > System.Net.WebException: The underlying connection was closed: Could
>> > not establi sh trust relationship with remote server.
>> >
>> > HOWEVER, exactly the same url, accessed from same machine and user
>> > context
>> > with IE6 browser does properly raise the private key password access
>> > for same certificate.
>> >
>> > Any ideas? I haven't explicitly imported my certificate/pvk into the
>> > LocalMachine store (yet)
>> > but I understand that .NET 1.1 implementation of req.GetResponse()
>> > when an SSL client cert
>> > negotation is required is to (internally) check BOTH CU and LM stores
>> > for certificates-with-private-keys
>> > matching the certificate file specified in
>> > CreateFromCertFile(certfile).
>> >
>> > Are there any TEST SSL servers on the Internet which require client
>> > certificate authentication?
>> >
>> > - Mitch Gallant
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: ClientCertificates and IIS5 with https://localhost
    ... This suggested that a call to access a client cert with *Strong* protection ... for a SSL request to an SSL server requiring client-certificate: ... > with essentially identical (failed to provide client certificate) results. ...
    (microsoft.public.dotnet.security)
  • SSL Client certificate
    ... I must connect to an ssl Server using a client certificate. ... I tried to separate truststore and keystore, having only the crt in keystore but nothing works. ...
    (comp.lang.java.programmer)
  • How to Apply ACL on Machine Store for SSL?
    ... I am using the following command line tool to apply ACL on Machine ... Store where SSL Client Certificate is Installed: ...
    (microsoft.public.isa)
  • 403 when calling webservice with client certificate
    ... The certificate is properly read from the store (i have also tried to ... client certificate is missing. ... probably because I do not have private key assiciated with the client ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: How do I make a local machine client certificate available to all users?
    ... Yes, the intention is to allow a machine access regardless of user, the ... Are you trying to install one client certificate on machine and have ... server, but you can do that in other ways, like with IPSec. ... Certificate in Local Computer Certificate Store'. ...
    (microsoft.public.inetserver.iis.security)