certificate based web call fails under iis (urgent!)

[oliharvey]

hallo -
I am making a web request (actually a web service call) from within my
web service.

this works fine under the developement web server - but fails under
IIS with:

anyone have any suggestions?

I have tried various impersonation / permissions scenarios with no
success.

This is urgent as I'm currently looking like a tit that doesn't know
what he's doing!

thanks,
Oli.

the code is trivial:

_x509Certificate = new X509Certificate(fullFilePath, password);
..
..
requester.ClientCertificates.Add(_x509Certificate);

 

[Larry Bud]

hallo -
I am making a web request (actually a web service call) from within my
web service.

this works fine under the developement web server - but fails under
IIS with:


anyone have any suggestions?

I have tried various impersonation / permissions scenarios with no
success.

This is urgent as I'm currently looking like a tit that doesn't know
what he's doing!

thanks,
Oli.

the code is trivial:

_x509Certificate = new X509Certificate(fullFilePath, password);
.
.
requester.ClientCertificates.Add(_x509Certificate);

Did you google it? Lots of stuff got returned

http://www.google.com/search?source...rted:+Could+not+create+SSL/TLS+secure+channel

 

[oliharvey]

hi Larry - yeah been googling most of the afternoon - been stuck on
this ~ 4 hours now

O.

 

[oliharvey]

I have not installed the certificate in any "certificate store" - it
get's loaded directly off the file system as per:

_x509Certificate = new X509Certificate(fullFilePath, password);

is there some "microsoft way" that I (begrudgingly) have to follow
here? - to my knowledge the cert *must* be loaded from the file system
- but what a lot of other people seem to do is store it, then export
it....

running XP pro.

desperate....

O.

 

[oliharvey]

I think this may be failing under IIS because the certificate is not
valid.

*I already know the certificate is not valid and still want to use
it ! *

I think it's not valid because it is not signed by a CA such as
Verisign.

if I work directly with the Certificate Store like this:

X509Store store = new X509Store(StoreName.Root,
StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col =
store.Certificates.Find(X509FindType.FindByIssuerName, "SAVVIS",true);

I can use that last parameter in "Find" to return only valid Certs -
hence indicating that the cert is not valid (there's surely a better
way).

I think it's perfectly reasonable to use an invalid cert in this way -
anyone got any comments on that - or suggestions on where to go from
here?

ta,
O.

 

[oliharvey]

**** FIXED **** !!!!


.....sort of

in order to get this to work (summary: Certificate based security
calling web service from within a web service - only broken under IIS
- works find under dev. server):

- install cert in local machine certificate store
- give ASPNET account permissions on that cert:
winhttpcertcfg.exe -g -c LOCAL_MACHINE\Root -s "SAVVIS" -a
"ASPNET"

....this gives me a deployment and managability headache grrrr. under
the .net 2.0 dev server I don't need any of this, and can read the
cert directly from disk. If anyone has any ideas how to do that under
IIS *please contact me* !!

O.