By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,904 Members | 925 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,904 IT Pros & Developers. It's quick & easy.

Client Certificate Validation

P: n/a
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file
as a POST to my ASP.Net listener. All of this works fine. Now I am looking
at how to validate the clients certificate programmatically. The client
application sends to me with something like:
....
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx), HttpWebRequest)
myHttp.Timeout = 300000
myHttp.KeepAlive = True
myHttp.ContentLength = PostData.Length
myHttp.UserAgent = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAutoRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate.CreateFromCertFile("d:\temp\cert\P rodCert.cer")
myHttp.ClientCertificates.Add(cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetRequestStream()
Catch ex As WebException
End Try

tmpStream.Write(PostData, 0, PostData.Length)
tmpStream.Flush()
tmpStream.Close()
....

This process seems to work fine, but then I perform a
Request.ClientCertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCertificate

cert = Request.ClientCertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertificate object. If I use the above client to send data to
another system that is Java based they say the client certificate is there.
Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not
showing up in the ClientCertficate object as I am really hoping to keep this
project small by staying in the same language environment.

Thanks,

Matt

Nov 17 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Matt,

Sounds like a webserver config issue. Is your IIS application setup to
accept or require client certificates? Do you use 1-1 or 1-many certificate
mapping to log the user on? Is the certificate issued by a CA trusted by
the IIS LocalSystem (i.e., computer) account. In other words, is the CA
cert installed in the "Certificates (Local Computer)\Trusted Root
Certificate Authorities\Certificates" certificate store?

You might want to check out the Patterns & Practices doc "How To: Set Up
Client Certificates (.NET Framework Security)"

http://msdn.microsoft.com/library/de...SecNetHT17.asp

-Steve Jansen

"Matt Frame" <ma**@sorvive.com> wrote in message
news:ej**************@TK2MSFTNGP10.phx.gbl...
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file
as a POST to my ASP.Net listener. All of this works fine. Now I am looking at how to validate the clients certificate programmatically. The client
application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx), HttpWebRequest)
myHttp.Timeout = 300000
myHttp.KeepAlive = True
myHttp.ContentLength = PostData.Length
myHttp.UserAgent = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAutoRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate.CreateFromCertFile("d:\temp\cert\P rodCert.cer")
myHttp.ClientCertificates.Add(cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetRequestStream()
Catch ex As WebException
End Try

tmpStream.Write(PostData, 0, PostData.Length)
tmpStream.Flush()
tmpStream.Close()
...

This process seems to work fine, but then I perform a
Request.ClientCertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCertificate

cert = Request.ClientCertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertificate object. If I use the above client to send data to
another system that is Java based they say the client certificate is there. Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not
showing up in the ClientCertficate object as I am really hoping to keep this project small by staying in the same language environment.

Thanks,

Matt

Nov 17 '05 #2

P: n/a
Steve,

My IIS settings are set to require encryption and require client
certificate. I think you are misunderstanding what I am doing. This
application does not use browsers in any way and I am not using the system
to log a user into our server. My client uses WebMethods and they require
that I receive their certificate on the POST and validate it against the
same certificate I put into my certificate store but I need to be able to
get to the client certificate on their POST for other reasons and that is
why I am expecting to get it with Request.ClientCertificate.

The problem may be that I am sending and receiving on the same development
workstation but I would assume that the certificate would be returned from
the call to Request.ClientCertificate any time.

Thanks,

Matt
"Steve Jansen" <st*****@dev.nul> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Matt,

Sounds like a webserver config issue. Is your IIS application setup to
accept or require client certificates? Do you use 1-1 or 1-many certificate mapping to log the user on? Is the certificate issued by a CA trusted by
the IIS LocalSystem (i.e., computer) account. In other words, is the CA
cert installed in the "Certificates (Local Computer)\Trusted Root
Certificate Authorities\Certificates" certificate store?

You might want to check out the Patterns & Practices doc "How To: Set Up
Client Certificates (.NET Framework Security)"

http://msdn.microsoft.com/library/de...SecNetHT17.asp
-Steve Jansen

"Matt Frame" <ma**@sorvive.com> wrote in message
news:ej**************@TK2MSFTNGP10.phx.gbl...
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file as a POST to my ASP.Net listener. All of this works fine. Now I am

looking
at how to validate the clients certificate programmatically. The client
application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx), HttpWebRequest)
myHttp.Timeout = 300000
myHttp.KeepAlive = True
myHttp.ContentLength = PostData.Length
myHttp.UserAgent = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAutoRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate.CreateFromCertFile("d:\temp\cert\P rodCert.cer")
myHttp.ClientCertificates.Add(cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetRequestStream()
Catch ex As WebException
End Try

tmpStream.Write(PostData, 0, PostData.Length)
tmpStream.Flush()
tmpStream.Close()
...

This process seems to work fine, but then I perform a
Request.ClientCertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCertificate

cert = Request.ClientCertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertificate object. If I use the above client to send data to
another system that is Java based they say the client certificate is

there.
Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not showing up in the ClientCertficate object as I am really hoping to keep

this
project small by staying in the same language environment.

Thanks,

Matt


Nov 17 '05 #3

P: n/a
Hi Matt,

Sorry for the confusion, but, I do think I understand what you are trying to
do, as I have worked with the exact same scenario.

IIS treats all HTTP clients equally, whether they are a browser or a simple
telnet client issuing HTTP request headers on port 80. So, the IIS
configuration was worth bringing up. It sounds like you have everything
configured correctly.

It is interesting that you are using a single machine for testing. I
believe I saw this problem before with using localhost, in that the CN of
the SSL certificate does not match the server name. You may want to check
out
http://msdn.microsoft.com/library/de...e&hidetoc=true,
which instructs you to either use the .NET 1.1 config setting:

<system.net>
<settings>
<servicePointManager
checkCertificateName="true"
/>
</settings>
</system.net>

or create a class that implements ICertificatePolicy and returns true in a
name mismatch scenario. It would interesting to know if this solves your
problem on the client:
....
System.Net.ServicePointManager.CertificatePolicy = new MyPolicy();
....
public class MyPolicy : ICertificatePolicy {
public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate
certificate, WebRequest request, int certificateProblem) {
return true; // always return true for testing
// Check for policy common name mismatch.
/* if (certificateProblem == 0 || certificateProblem == 0x800c010f)
return true;
else
return false;
*/
}
}

-Steve

"Matt Frame" <ma**@sorvive.com> wrote in message
news:e$**************@tk2msftngp13.phx.gbl...
Steve,

My IIS settings are set to require encryption and require client
certificate. I think you are misunderstanding what I am doing. This
application does not use browsers in any way and I am not using the system
to log a user into our server. My client uses WebMethods and they require
that I receive their certificate on the POST and validate it against the
same certificate I put into my certificate store but I need to be able to
get to the client certificate on their POST for other reasons and that is
why I am expecting to get it with Request.ClientCertificate.

The problem may be that I am sending and receiving on the same development
workstation but I would assume that the certificate would be returned from
the call to Request.ClientCertificate any time.

Thanks,

Matt
"Steve Jansen" <st*****@dev.nul> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
Matt,

Sounds like a webserver config issue. Is your IIS application setup to
accept or require client certificates? Do you use 1-1 or 1-many

certificate
mapping to log the user on? Is the certificate issued by a CA trusted by
the IIS LocalSystem (i.e., computer) account. In other words, is the CA
cert installed in the "Certificates (Local Computer)\Trusted Root
Certificate Authorities\Certificates" certificate store?

You might want to check out the Patterns & Practices doc "How To: Set Up
Client Certificates (.NET Framework Security)"

http://msdn.microsoft.com/library/de...SecNetHT17.asp

-Steve Jansen

"Matt Frame" <ma**@sorvive.com> wrote in message
news:ej**************@TK2MSFTNGP10.phx.gbl...
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file as a POST to my ASP.Net listener. All of this works fine. Now I am

looking
at how to validate the clients certificate programmatically. The client application sends to me with something like:
...
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx), HttpWebRequest) myHttp.Timeout = 300000
myHttp.KeepAlive = True
myHttp.ContentLength = PostData.Length
myHttp.UserAgent = "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"
myHttp.Method = "POST"
myHttp.AllowAutoRedirect = True

'-- Cert Stuff
Dim cert As X509Certificate =
X509Certificate.CreateFromCertFile("d:\temp\cert\P rodCert.cer")
myHttp.ClientCertificates.Add(cert)

Dim tmpStream As Stream
Try
tmpStream = myHttp.GetRequestStream()
Catch ex As WebException
End Try

tmpStream.Write(PostData, 0, PostData.Length)
tmpStream.Flush()
tmpStream.Close()
...

This process seems to work fine, but then I perform a
Request.ClientCertificate in my Receive.aspx nothing is there. In my
Receive.aspx page I have the following code:

Dim cert as HttpClientCertificate

cert = Request.ClientCertificate

Nothing comes across or at least doesn't seem to populate the
ClientCertificate object. If I use the above client to send data to
another system that is Java based they say the client certificate is

there.
Can Java do something that .Net can't?

I hope someone can shed some light into why the client certificate is not showing up in the ClientCertficate object as I am really hoping to

keep this
project small by staying in the same language environment.

Thanks,

Matt



Nov 17 '05 #4

P: n/a

It depends on which .NET Runtime you've installed - if you work on .NET
1.1, the you have to deploy Service Pack 1 and all will work just fine
(I had the same problem and solve it that way).
Best regards,

George
--
catalinr
------------------------------------------------------------------------
catalinr's Profile: http://www.highdots.com/forums/m1120
View this thread: http://www.highdots.com/forums/t633874

Nov 19 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.