X509Certificate not passed to webservice.

Discussion in 'ASP .Net Web Services' started by Matthew, Oct 28, 2004.

  1. Matthew

    Matthew Guest

    Hi all,

    I have the following scenario (XP / IIS 5, FX v1.1.4322) Both the
    client app and web service are running on my local development
    machine.

    I am using a straightforward HTTPWebRequest, and WSE 2 to add an X509
    certificate, as follows:

    ==================================================================
    Private Function CreateWebRequest() As HttpWebRequest

    Dim objRequest As HttpWebRequest = WebRequest.Create(m_URL &
    "/" & m_Operation)


    SetProxy(objRequest.Proxy)

    objRequest.Method = "POST"
    objRequest.ContentType = "application/x-www-form-urlencoded"
    objRequest.Timeout = 300000

    Dim certStore As X509CertificateStore
    certStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.RootStore.ToString)
    certStore.OpenRead()

    Dim cert As X509Certificates.X509Certificate
    If certStore.FindCertificateBySubjectString("XYZ").Count > 0
    Then
    cert = certStore.FindCertificateBySubjectString("XYZ")(0)
    End If

    objRequest.ClientCertificates.Add(cert)

    Return objRequest


    End Function

    ==================================================================

    This is using a test cert generated with makecert, and imported into
    the local machine root store. When in debug mode, I can see the cert
    is retrieved and added to the request's clientcertificates collection
    fine.

    However when inspecting the Context.Request.ClientCertificate property
    in the WebService code, there is only an HTTPClientCerticate object
    there with its properties unpopulated . ( this seems to be present
    irrespective of whether or not the certificate is added client side)

    I have attempted a similar exercise with the following test code which
    I found here : http://www.15seconds.com/issue/020312.htm
    to test a straightforward web service scenario, with the same result.
    (The cert does not seem to be passed to the service...)

    ==================================================================

    private void TestService_Click(object sender, System.EventArgs e)
    {
    CSWebservices.CCWebservice objws ;
    objws = new CSWebservices.CCWebservice() ;

    X509Certificate objCert ;
    objCert = X509Certificate.CreateFromCertFile("xyz.cer") ;


    objws.ClientCertificates.Add(objCert) ;

    CSWebservices.ClientCertificateDetails objCertDetails ;
    objCertDetails = objws.GetCertificateDetails() ;

    }

    ==================================================================

    Server Side:

    [WebMethod]
    public ClientCertificateDetails GetCertificateDetails()
    {
    HttpClientCertificate objCertificate =
    HttpContext.Current.Request.ClientCertificate ;
    ClientCertificateDetails objCertificateDetails = new
    ClientCertificateDetails() ;
    objCertificateDetails.Cookie = objCertificate.Cookie ;
    objCertificateDetails.IsPresent = objCertificate.IsPresent ;
    objCertificateDetails.Issuer = objCertificate.Issuer ;
    objCertificateDetails.IsValid = objCertificate.IsValid ;
    objCertificateDetails.KeySize = objCertificate.KeySize ;
    objCertificateDetails.SecretKeySize = objCertificate.SecretKeySize
    ;
    objCertificateDetails.SerialNumber = objCertificate.SerialNumber ;
    objCertificateDetails.ServerIssuer = objCertificate.ServerIssuer ;
    objCertificateDetails.ServerSubject = objCertificate.ServerSubject
    ;
    objCertificateDetails.ValidFrom = objCertificate.ValidFrom ;
    objCertificateDetails.ValidUntil = objCertificate.ValidUntil ;

    return objCertificateDetails ;
    }

    ======================================================================

    If I configure IIS to require Client certificates: I experience HTTP
    403.7 ( cert required ) errors.

    Any ideas / pointers would be appreciated.

    Thanks,

    Matthew
     
    Matthew, Oct 28, 2004
    #1
    1. Advertising

  2. Matthew

    Guest Guest

    Did you install SSL Cert on your machine running IIS?

    Chew

    > Hi all,
    >
    > I have the following scenario (XP / IIS 5, FX v1.1.4322) Both the
    > client app and web service are running on my local development
    > machine.
    >
    > I am using a straightforward HTTPWebRequest, and WSE 2 to add an X509
    > certificate, as follows:
    >
    > ==================================================================
    > Private Function CreateWebRequest() As HttpWebRequest
    >
    > Dim objRequest As HttpWebRequest = WebRequest.Create(m_URL &
    > "/" & m_Operation)
    >
    >
    > SetProxy(objRequest.Proxy)
    >
    > objRequest.Method = "POST"
    > objRequest.ContentType = "application/x-www-form-urlencoded"
    > objRequest.Timeout = 300000
    >
    > Dim certStore As X509CertificateStore
    > certStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.RootStore.ToString)
    > certStore.OpenRead()
    >
    > Dim cert As X509Certificates.X509Certificate
    > If certStore.FindCertificateBySubjectString("XYZ").Count > 0
    > Then
    > cert = certStore.FindCertificateBySubjectString("XYZ")(0)
    > End If
    >
    > objRequest.ClientCertificates.Add(cert)
    >
    > Return objRequest
    >
    >
    > End Function
    >
    > ==================================================================
    >
    > This is using a test cert generated with makecert, and imported into
    > the local machine root store. When in debug mode, I can see the cert
    > is retrieved and added to the request's clientcertificates collection
    > fine.
    >
    > However when inspecting the Context.Request.ClientCertificate property
    > in the WebService code, there is only an HTTPClientCerticate object
    > there with its properties unpopulated . ( this seems to be present
    > irrespective of whether or not the certificate is added client side)
    >
    > I have attempted a similar exercise with the following test code which
    > I found here : http://www.15seconds.com/issue/020312.htm
    > to test a straightforward web service scenario, with the same result.
    > (The cert does not seem to be passed to the service...)
    >
    > ==================================================================
    >
    > private void TestService_Click(object sender, System.EventArgs e)
    > {
    > CSWebservices.CCWebservice objws ;
    > objws = new CSWebservices.CCWebservice() ;
    >
    > X509Certificate objCert ;
    > objCert = X509Certificate.CreateFromCertFile("xyz.cer") ;
    >
    >
    > objws.ClientCertificates.Add(objCert) ;
    >
    > CSWebservices.ClientCertificateDetails objCertDetails ;
    > objCertDetails = objws.GetCertificateDetails() ;
    >
    > }
    >
    > ==================================================================
    >
    > Server Side:
    >
    > [WebMethod]
    > public ClientCertificateDetails GetCertificateDetails()
    > {
    > HttpClientCertificate objCertificate =
    > HttpContext.Current.Request.ClientCertificate ;
    > ClientCertificateDetails objCertificateDetails = new
    > ClientCertificateDetails() ;
    > objCertificateDetails.Cookie = objCertificate.Cookie ;
    > objCertificateDetails.IsPresent = objCertificate.IsPresent ;
    > objCertificateDetails.Issuer = objCertificate.Issuer ;
    > objCertificateDetails.IsValid = objCertificate.IsValid ;
    > objCertificateDetails.KeySize = objCertificate.KeySize ;
    > objCertificateDetails.SecretKeySize = objCertificate.SecretKeySize
    > ;
    > objCertificateDetails.SerialNumber = objCertificate.SerialNumber ;
    > objCertificateDetails.ServerIssuer = objCertificate.ServerIssuer ;
    > objCertificateDetails.ServerSubject = objCertificate.ServerSubject
    > ;
    > objCertificateDetails.ValidFrom = objCertificate.ValidFrom ;
    > objCertificateDetails.ValidUntil = objCertificate.ValidUntil ;
    >
    > return objCertificateDetails ;
    > }
    >
    > ======================================================================
    >
    > If I configure IIS to require Client certificates: I experience HTTP
    > 403.7 ( cert required ) errors.
    >
    > Any ideas / pointers would be appreciated.
    >
    > Thanks,
    >
    > Matthew


    User submitted from AEWNET (http://www.aewnet.com/)
     
    Guest, Nov 4, 2004
    #2
    1. Advertising

  3. Matthew

    chew Guest

    Did you install SSL Cert on your machine running IIS?

    Chew

    > Hi all,
    >
    > I have the following scenario (XP / IIS 5, FX v1.1.4322) Both the
    > client app and web service are running on my local development
    > machine.
    >
    > I am using a straightforward HTTPWebRequest, and WSE 2 to add an X509
    > certificate, as follows:
    >
    > ==================================================================
    > Private Function CreateWebRequest() As HttpWebRequest
    >
    > Dim objRequest As HttpWebRequest = WebRequest.Create(m_URL &
    > "/" & m_Operation)
    >
    >
    > SetProxy(objRequest.Proxy)
    >
    > objRequest.Method = "POST"
    > objRequest.ContentType = "application/x-www-form-urlencoded"
    > objRequest.Timeout = 300000
    >
    > Dim certStore As X509CertificateStore
    > certStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.RootStore.ToString)
    > certStore.OpenRead()
    >
    > Dim cert As X509Certificates.X509Certificate
    > If certStore.FindCertificateBySubjectString("XYZ").Count > 0
    > Then
    > cert = certStore.FindCertificateBySubjectString("XYZ")(0)
    > End If
    >
    > objRequest.ClientCertificates.Add(cert)
    >
    > Return objRequest
    >
    >
    > End Function
    >
    > ==================================================================
    >
    > This is using a test cert generated with makecert, and imported into
    > the local machine root store. When in debug mode, I can see the cert
    > is retrieved and added to the request's clientcertificates collection
    > fine.
    >
    > However when inspecting the Context.Request.ClientCertificate property
    > in the WebService code, there is only an HTTPClientCerticate object
    > there with its properties unpopulated . ( this seems to be present
    > irrespective of whether or not the certificate is added client side)
    >
    > I have attempted a similar exercise with the following test code which
    > I found here : http://www.15seconds.com/issue/020312.htm
    > to test a straightforward web service scenario, with the same result.
    > (The cert does not seem to be passed to the service...)
    >
    > ==================================================================
    >
    > private void TestService_Click(object sender, System.EventArgs e)
    > {
    > CSWebservices.CCWebservice objws ;
    > objws = new CSWebservices.CCWebservice() ;
    >
    > X509Certificate objCert ;
    > objCert = X509Certificate.CreateFromCertFile("xyz.cer") ;
    >
    >
    > objws.ClientCertificates.Add(objCert) ;
    >
    > CSWebservices.ClientCertificateDetails objCertDetails ;
    > objCertDetails = objws.GetCertificateDetails() ;
    >
    > }
    >
    > ==================================================================
    >
    > Server Side:
    >
    > [WebMethod]
    > public ClientCertificateDetails GetCertificateDetails()
    > {
    > HttpClientCertificate objCertificate =
    > HttpContext.Current.Request.ClientCertificate ;
    > ClientCertificateDetails objCertificateDetails = new
    > ClientCertificateDetails() ;
    > objCertificateDetails.Cookie = objCertificate.Cookie ;
    > objCertificateDetails.IsPresent = objCertificate.IsPresent ;
    > objCertificateDetails.Issuer = objCertificate.Issuer ;
    > objCertificateDetails.IsValid = objCertificate.IsValid ;
    > objCertificateDetails.KeySize = objCertificate.KeySize ;
    > objCertificateDetails.SecretKeySize = objCertificate.SecretKeySize
    > ;
    > objCertificateDetails.SerialNumber = objCertificate.SerialNumber ;
    > objCertificateDetails.ServerIssuer = objCertificate.ServerIssuer ;
    > objCertificateDetails.ServerSubject = objCertificate.ServerSubject
    > ;
    > objCertificateDetails.ValidFrom = objCertificate.ValidFrom ;
    > objCertificateDetails.ValidUntil = objCertificate.ValidUntil ;
    >
    > return objCertificateDetails ;
    > }
    >
    > ======================================================================
    >
    > If I configure IIS to require Client certificates: I experience HTTP
    > 403.7 ( cert required ) errors.
    >
    > Any ideas / pointers would be appreciated.
    >
    > Thanks,
    >
    > Matthew


    User submitted from AEWNET (http://www.aewnet.com/)
     
    chew, Nov 4, 2004
    #3
  4. Matthew

    Matthew Guest

    Hi

    Yes. I have a test certificate running on IIS and the web service is
    configured to require SSL.
    I am overriding cert warnings with the implementation of a custom
    CertificatePolicy, client side.

    My first thought was that, unless I set up the service to require
    client certificates, the certificate wouldn't be sent with the
    request. So I set up IIS to require client certificates. With that
    configuration, I got the 403.7 HTTP Error referred to in my first
    post.

    still a bit baffled on this one.

    I have also installed the root certificate for the test client
    certificate which I generated with makecert.exe (Root Agency), into
    the Local Machine Trusted Certification Authorities store.

    I also edited the certificate trust list on IIS to include the
    relevant client certificate.

    All this ... and the same result. either the client certificate doesnt
    seem to be sent, or if the service requires a client certificate then
    a 403 error.

    I wonder if the issue is that IIS is looking in the local user store,
    as opposed to the local machine store, to determine whether it
    recognizes the root CA....? Guess I'll give that a go.

    Thanks..
     
    Matthew, Nov 5, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. iksrazal
    Replies:
    0
    Views:
    692
    iksrazal
    Feb 29, 2004
  2. Replies:
    2
    Views:
    14,568
    =?iso-8859-1?B?QmVub+50?=
    Jun 23, 2005
  3. JN
    Replies:
    0
    Views:
    146
  4. Peter Ritchie [C# MVP]

    Verifying X509Certificate signature

    Peter Ritchie [C# MVP], Jul 31, 2008, in forum: ASP .Net Security
    Replies:
    8
    Views:
    1,704
    Peter Ritchie [C# MVP]
    Aug 5, 2008
  5. Ash

    Access X509Certificate Store from ASP.net 2.0

    Ash, Jul 24, 2006, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    153
Loading...

Share This Page