Client Certificate Validation

I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file
as a POST to my ASP.Net listener. All of this works fine. Now I am looking at how to validate the clients certificate programmatically. The client
application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx), HttpWebRequest)
myHttp.Timeout = 300000
myHttp.KeepAlive = True
myHttp.ContentLength = PostData.Length
myHttp.UserAgent = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAutoRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate.CreateFromCertFile("d:\temp\cert\P rodCert.cer")
myHttp.ClientCertificates.Add(cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetRequestStream()
Catch ex As WebException
End Try

tmpStream.Write(PostData, 0, PostData.Length)
tmpStream.Flush()
tmpStream.Close()
...

This process seems to work fine, but then I perform a
Request.ClientCertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCertificate

cert = Request.ClientCertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertificate object. If I use the above client to send data to
another system that is Java based they say the client certificate is there. Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not
showing up in the ClientCertficate object as I am really hoping to keep this project small by staying in the same language environment.

Thanks,

Matt

Matt,

Sounds like a webserver config issue. Is your IIS application setup to
accept or require client certificates? Do you use 1-1 or 1-many certificate mapping to log the user on? Is the certificate issued by a CA trusted by
the IIS LocalSystem (i.e., computer) account. In other words, is the CA
cert installed in the "Certificates (Local Computer)\Trusted Root
Certificate Authorities\Certificates" certificate store?

You might want to check out the Patterns & Practices doc "How To: Set Up
Client Certificates (.NET Framework Security)"

http://msdn.microsoft.com/library/de...SecNetHT17.asp
-Steve Jansen

"Matt Frame" <ma**@sorvive.com> wrote in message
news:ej**************@TK2MSFTNGP10.phx.gbl...

I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file as a POST to my ASP.Net listener. All of this works fine. Now I am

looking

at how to validate the clients certificate programmatically. The client
application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx), HttpWebRequest)
myHttp.Timeout = 300000
myHttp.KeepAlive = True
myHttp.ContentLength = PostData.Length
myHttp.UserAgent = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAutoRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate.CreateFromCertFile("d:\temp\cert\P rodCert.cer")
myHttp.ClientCertificates.Add(cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetRequestStream()
Catch ex As WebException
End Try

tmpStream.Write(PostData, 0, PostData.Length)
tmpStream.Flush()
tmpStream.Close()
...

This process seems to work fine, but then I perform a
Request.ClientCertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCertificate

cert = Request.ClientCertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertificate object. If I use the above client to send data to
another system that is Java based they say the client certificate is

there.

Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not showing up in the ClientCertficate object as I am really hoping to keep

this

project small by staying in the same language environment.

Thanks,

Matt

Steve,

My IIS settings are set to require encryption and require client
certificate. I think you are misunderstanding what I am doing. This
application does not use browsers in any way and I am not using the system
to log a user into our server. My client uses WebMethods and they require
that I receive their certificate on the POST and validate it against the
same certificate I put into my certificate store but I need to be able to
get to the client certificate on their POST for other reasons and that is
why I am expecting to get it with Request.ClientCertificate.

The problem may be that I am sending and receiving on the same development
workstation but I would assume that the certificate would be returned from
the call to Request.ClientCertificate any time.

Thanks,

Matt
"Steve Jansen" <st*****@dev.nul> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...

Matt,

Sounds like a webserver config issue. Is your IIS application setup to
accept or require client certificates? Do you use 1-1 or 1-many

certificate

mapping to log the user on? Is the certificate issued by a CA trusted by

the IIS LocalSystem (i.e., computer) account. In other words, is the CA
cert installed in the "Certificates (Local Computer)\Trusted Root
Certificate Authorities\Certificates" certificate store?

You might want to check out the Patterns & Practices doc "How To: Set Up
Client Certificates (.NET Framework Security)"

http://msdn.microsoft.com/library/de...SecNetHT17.asp

-Steve Jansen

"Matt Frame" <ma**@sorvive.com> wrote in message
news:ej**************@TK2MSFTNGP10.phx.gbl...

I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file as a POST to my ASP.Net listener. All of this works fine. Now I am

looking

at how to validate the clients certificate programmatically. The client application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx), HttpWebRequest) myHttp.Timeout = 300000
myHttp.KeepAlive = True
myHttp.ContentLength = PostData.Length
myHttp.UserAgent = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAutoRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate.CreateFromCertFile("d:\temp\cert\P rodCert.cer")
myHttp.ClientCertificates.Add(cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetRequestStream()
Catch ex As WebException
End Try

tmpStream.Write(PostData, 0, PostData.Length)
tmpStream.Flush()
tmpStream.Close()
...

This process seems to work fine, but then I perform a
Request.ClientCertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCertificate

cert = Request.ClientCertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertificate object. If I use the above client to send data to
another system that is Java based they say the client certificate is

there.

Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not showing up in the ClientCertficate object as I am really hoping to

keep this

project small by staying in the same language environment.

Thanks,

Matt