c# - WebApi HttpClient not sending client certificate

Question

I am trying to secure my RESTful WebApi service with ssl and client authentication using client certificates.

To test; I have generated a self signed certificate and placed in the local machine, trusted root certification authorities folder and i have generated a "server" and "client" certificates. Standard https to the server works without issue.

However I have some code in the server to validate the certificate, this never gets called when I connect using my test client which supplies my client certificate and the test client is returned a 403 Forbidden status.

This imples the server is failing my certificate before it reaches my validation code. However if i fire up fiddler it knows a client certificate is required and asks me to supply one to My DocumentsFiddler2. I gave it the same client certificate i use in my test client and my server now works and received the client certificate i expect! This implies that the WebApi client is not properly sending the certificate, my client code below is pretty much the same as other examples i have found.

    static async Task RunAsync()
    {
        try
        {
            var handler = new WebRequestHandler();
            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
            handler.ClientCertificates.Add(GetClientCert());
            handler.ServerCertificateValidationCallback += Validate;
            handler.UseProxy = false;

            using (var client = new HttpClient(handler))
            {
                client.BaseAddress = new Uri("https://hostname:10001/");

                client.DefaultRequestHeaders.Accept.Clear();
                client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/xml"));

                var response = await client.GetAsync("api/system/");
                var str = await response.Content.ReadAsStringAsync();

                Console.WriteLine(str);
            }
        } catch(Exception ex)
        {
            Console.Write(ex.Message);
        }
    }

Any ideas why it would work in fiddler but not my test client?

Edit: Here is the code to GetClientCert()

private static X509Certificate GetClientCert()
    {            
        X509Store store = null;
        try
        {
            store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);

            var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "Integration Client Certificate", true);

            if (certs.Count == 1)
            {
                var cert = certs[0];
                return cert;
            }
        }
        finally
        {
            if (store != null) 
                store.Close();
        }

        return null;
    }

Granted the test code does not handle a null certificate but i am debugging to enssure that the correct certificate is located.

Answer 1

There are 2 types of certificates. The first is the public .cer file that is sent to you from the owner of the server. This file is just a long string of characters. The second is the keystore certificate, this is the selfsigned cert you create and send the cer file to the server you are calling and they install it. Depending on how much security you have, you might need to add one or both of these to the Client (Handler in your case). I've only seen the keystore cert used on one server where security is VERY secure. This code gets both certificates from the bin/deployed folder:

#region certificate Add
                // KeyStore is our self signed cert
                // TrustStore is cer file sent to you.

                // Get the path where the cert files are stored (this should handle running in debug mode in Visual Studio and deployed code) -- Not tested with deployed code
                string executableLocation = Path.GetDirectoryName(AppDomain.CurrentDomain.RelativeSearchPath ?? AppDomain.CurrentDomain.BaseDirectory);

                #region Add the TrustStore certificate

                // Get the cer file location
                string pfxLocation = executableLocation + "\Certificates\TheirCertificate.cer";

                // Add the certificate
                X509Certificate2 theirCert = new X509Certificate2();
                theirCert.Import(pfxLocation, "Password", X509KeyStorageFlags.DefaultKeySet);
                handler.ClientCertificates.Add(theirCert);
                #endregion

                #region Add the KeyStore 
                // Get the location
                pfxLocation = executableLocation + "\Certificates\YourCert.pfx";

                // Add the Certificate
                X509Certificate2 YourCert = new X509Certificate2();
                YourCert.Import(pfxLocation, "PASSWORD", X509KeyStorageFlags.DefaultKeySet);
                handler.ClientCertificates.Add(YourCert);
                #endregion

                #endregion

Also - you need to handle cert errors (note: this is BAD - it says ALL cert issues are okay) you should change this code to handle specific cert issues like Name Mismatch. it's on my list to do. There are plenty of example on how to do this.

This code at the top of your method

// Ignore Certificate errors  need to fix to only handle 
ServicePointManager.ServerCertificateValidationCallback = MyCertHandler;

Method somewhere in your class

private bool MyCertHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors error)
    {
        // Ignore errors
        return true;
    }

Answer 2

Ran into this identical issue myself. With a .net Framework 4.8 client it worked fine. With .net 6 core, it behaved exactly as you described. Even had the exact same behavior with fiddler.

I was using HttpClientHandler, not WebRequestHandler, but I assume the cause is the same. 

HttpClient internally has a SocketsHttpHandler that does not appear to be accesible via any properties, but can be passed to the HttpClient in the constructor.

SocketsHttpHandler default sslOptions specify "AllowRenegotioation = false". This prevents it from supplying the client cert when it gets the certificate request message.

To overcome this you can create you httpClient like so

var sslOptions = new SslClientAuthenticationOptions

 {

      RemoteCertificateValidationCallback = delegate { return true; }, // Obviously this is just for testing

      AllowRenegotiation = true,

      ClientCertificates = new X509Certificate2Collection(certificate)

  };

  var handler = new SocketsHttpHandler()

  {

      SslOptions = sslOptions,

   };

   httpClient = new HttpClient(handler);