Welcome to MSDN Blogs Sign in | Join | Help

adarsh's blog

Adarsh Khare works at Microsoft. Everything here, though, is his personal opinion and is not read or approved by Microsoft before it is posted. No warranties or other guarantees will be offered as to the quality of the opinions or anything else offered here.
SSL https requests with client certificates from ASP.NET

Problem

Applications making https request from .net web applications (.aspx pages) are not able to use client certificates.

Cause

Client certificates are linked to user accounts, ASPX is running under ASPNET account, this account can’t access the certificates installed under user account or system account.

HttpWebRequest implementation only access the certificate only from account under which process is running or under System account. Most of the time when we install the certificate it is installed in current user account.

Possible Solutions

a)      Run the service under the account which certificate is installed, but in real world this is not a feasible solution on production servers,

b)      Install the certificate under System account and provide access to ASPNET service account, this could be achieved using following steps

a.       Install certificate using MMC (Microsoft Management Console) or using certificate configuration tool as described in Microsoft KB article (http://support.microsoft.com/?id=823193 )

b.        Tool is available at the following link

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

 

Make sure following, when installing the certificate

1)      Certificate contains the private key, otherwise it can’t be used for client authentication, .cer certificate files only contain the public key, you need to have certificate with .pfx or .p12 file,

2)      Make sure you are installing certificate in “My” store of the system account, following command is an example of installing certificate in “My” store of “System” account with extending access to aspnet account, follow the above link for more detailed description and usage of certificate configuration tool

WinHttpCertCfg  -i mycert.pfx -p certpassword -c LOCAL_MACHINE\my –a aspnet

 

Note: Solution discussed here would work on .Net frameworks v1.0 with SP3 or v1.1 with SP1 install, on previous versions of frameworks clientcertificate were used only from current User store not from System acount. 

 

  • This posting is provided "AS IS" with no warranties, and confers no rights

 

Posted: Monday, July 19, 2004 2:10 PM by adarshk

Comments

Nenad Andjelic said:

"WinHttpCertCfg -i mycert.pfx -p certpassword -c LOCAL_MACHINE\my –a aspnet"

The above will not work.

The easiest way is to import client certificate (.p12) using MMC into Certificates (Local Computer)\Personal, import CA certificate (.cer) into Certificates (Local Computer)\Trusted Root Certification Authorities and then grant access to aspnet account using WinHttpCertCfg -g -c LOCAL_MACHINE\my -s "certificate_friendly_name" –a aspnet

Nenad
# January 6, 2006 2:47 PM

X said:

How do i get the mapped account details in code
# September 25, 2006 1:42 PM

Neeraj Aggarwal said:

Hi

We are trying to access an HTTPS website with a non-pc device. This platform has a very restricted TCP/IP Stack and some basic SSL Features.

This device has examples for using the device as an SSL Server (without client authentication). Please advise.

Regards

na

# December 5, 2006 6:49 AM

Parsi said:

Hi,

I would like to know whether asp.net application requires client certiificates while connecting some https://www.somesite.com? I'm able to connect using windows/console based application but I unable to run application from asp.net ..

the error at  req.GetRequestStream(); line. throws WebException ..  unable to connect Remote server.

Thanks..

# December 20, 2007 3:26 PM

kistov said:

<a href= http://index1.themounter.com >sample resumes for human resource assistant</a>

# January 8, 2008 3:59 PM

birkoff_[!2] said:

<a href= http://index5.cinums.com >anthem arizona homeowners association</a> <a href= http://index3.cinums.com >loncar associates settlements for a child post concussive syndrome injury</a> <a href= http://index6.cinums.com >spyder imagine disassembly</a> <a href= http://index4.cinums.com >camping activities ideas teens</a> <a href= http://index2.cinums.com >pics with numbers</a>

# June 9, 2008 1:59 AM

Bkosrgdy said:

If you have a little free time, read this post:,

# June 9, 2008 11:44 PM

Teaeexdw said:

Most Interested facts about that you can read here:,

# June 24, 2008 4:17 PM

birkoff_[!2] said:

<a href= http://index2.ghlpof.com >slimasses.info</a> <a href= http://index3.ghlpof.com >who can i run to video</a> <a href= http://index5.ghlpof.com >pictures of black woman lips</a> <a href= http://index4.ghlpof.com >hot horny girles</a> <a href= http://index1.ghlpof.com >breast play</a>

# July 3, 2008 8:35 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker