SSL https requests with client certificates from ASP.NET

Published 19 July 04 02:10 PM | adarshk 

Problem

Applications making https request from .net web applications (.aspx pages) are not able to use client certificates.

Cause

Client certificates are linked to user accounts, ASPX is running under ASPNET account, this account can’t access the certificates installed under user account or system account.

HttpWebRequest implementation only access the certificate only from account under which process is running or under System account. Most of the time when we install the certificate it is installed in current user account.

Possible Solutions

a)      Run the service under the account which certificate is installed, but in real world this is not a feasible solution on production servers,

b)      Install the certificate under System account and provide access to ASPNET service account, this could be achieved using following steps

a.       Install certificate using MMC (Microsoft Management Console) or using certificate configuration tool as described in Microsoft KB article (http://support.microsoft.com/?id=823193 )

b.        Tool is available at the following link

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

 

Make sure following, when installing the certificate

1)      Certificate contains the private key, otherwise it can’t be used for client authentication, .cer certificate files only contain the public key, you need to have certificate with .pfx or .p12 file,

2)      Make sure you are installing certificate in “My” store of the system account, following command is an example of installing certificate in “My” store of “System” account with extending access to aspnet account, follow the above link for more detailed description and usage of certificate configuration tool

WinHttpCertCfg  -i mycert.pfx -p certpassword -c LOCAL_MACHINE\my –a aspnet

 

Note: Solution discussed here would work on .Net frameworks v1.0 with SP3 or v1.1 with SP1 install, on previous versions of frameworks clientcertificate were used only from current User store not from System acount. 

 

  • This posting is provided "AS IS" with no warranties, and confers no rights

 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Nenad Andjelic said on January 6, 2006 2:47 PM:
"WinHttpCertCfg -i mycert.pfx -p certpassword -c LOCAL_MACHINE\my –a aspnet"

The above will not work.

The easiest way is to import client certificate (.p12) using MMC into Certificates (Local Computer)\Personal, import CA certificate (.cer) into Certificates (Local Computer)\Trusted Root Certification Authorities and then grant access to aspnet account using WinHttpCertCfg -g -c LOCAL_MACHINE\my -s "certificate_friendly_name" –a aspnet

Nenad
# X said on September 25, 2006 1:42 PM:
How do i get the mapped account details in code
# Neeraj Aggarwal said on December 5, 2006 6:49 AM:

Hi

We are trying to access an HTTPS website with a non-pc device. This platform has a very restricted TCP/IP Stack and some basic SSL Features.

This device has examples for using the device as an SSL Server (without client authentication). Please advise.

Regards

na

# Parsi said on December 20, 2007 3:26 PM:

Hi,

I would like to know whether asp.net application requires client certiificates while connecting some https://www.somesite.com? I'm able to connect using windows/console based application but I unable to run application from asp.net ..

the error at  req.GetRequestStream(); line. throws WebException ..  unable to connect Remote server.

Thanks..

# kistov said on January 8, 2008 3:59 PM:

<a href= http://index1.themounter.com >sample resumes for human resource assistant</a>

# birkoff_[!2] said on June 9, 2008 1:59 AM:

<a href= http://index5.cinums.com >anthem arizona homeowners association</a> <a href= http://index3.cinums.com >loncar associates settlements for a child post concussive syndrome injury</a> <a href= http://index6.cinums.com >spyder imagine disassembly</a> <a href= http://index4.cinums.com >camping activities ideas teens</a> <a href= http://index2.cinums.com >pics with numbers</a>

# Bkosrgdy said on June 9, 2008 11:44 PM:

If you have a little free time, read this post:,

# Teaeexdw said on June 24, 2008 4:17 PM:

Most Interested facts about that you can read here:,

# Adarsh s blog SSL https requests with client certificates from ASP NET | fix my credit said on June 16, 2009 9:55 PM:

PingBack from http://fixmycrediteasily.info/story.php?id=534

# ほむぺ完成記念 said on August 20, 2009 11:16 PM:

よーやくプロフ持ちになれました。私の事気になった方がいましたら気軽にメールください。恋バナとか好きなんでよろしくでぇす。zuttozuttoissyodayo@docomo.ne.jp

# 出張ホスト said on August 21, 2009 11:26 PM:

女性会員様増加につき、当サイトの出張ホストが不足中です。女性の自宅やホテルに出向き、欲望を満たすお手伝いをしてくれる男性アルバイトをただいま募集していますので、興味のある方はTOPページから無料登録をお願いいたします

# 家出 said on August 22, 2009 11:46 PM:

最近様々なメディアで紹介されている家出掲示板では、全国各地のネットカフェ等を泊り歩いている家出少女のメッセージが多数書き込みされています。彼女たちはお金がないので掲示板で知り合った男性とすぐに遊びに行くようです。あなたも書き込みに返事を返してみませんか

# モテる度チェッカー said on August 24, 2009 12:30 AM:

あなたのモテ度数を診断できる、モテる度チェッカー!日頃モテモテでリア充のあなたもそうでないヒキニートの貴方も隠されたモテスキルを測定して今以上にモッテモテになること間違いなし

# 救援部 said on August 24, 2009 11:16 PM:

オ○ニーライフのお手伝い、救援部でHな見せたがり女性からエロ写メ、ムービーをゲットしよう!近所の女の子なら実際に合ってHな事ができちゃうかも!?夏で開放的になっている女の子と遊んじゃおう

# 逆援助 said on August 25, 2009 11:12 PM:

メル友募集のあそび場「ラブフリー」はみんなの出逢いを応援する全国版の逆援助コミュニティーです!女の子と真剣にお付き合いしたい方も、複数の女性と戯れたい方も今すぐ無料登録からどうぞ

# 倶楽部 said on August 26, 2009 10:20 PM:

簡単にお小遣い稼ぎをしたい方必見、当サイト逆¥倶楽部では無料登録して女性の性の欲求に応えるだけのアルバイトです。初心者でもすぐに高収入の逆¥交際に興味をもたれた方はTOPページまでどうぞ。

# プロフ公開 said on August 27, 2009 11:08 PM:

プロフ作りました。興味ある方連絡まってま〜す。メアドを乗せておくので連絡ください。色んな人の色んな話聞きたい感じですのでヨロシクhappy-my-life-.-@docomo.ne.jp

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required

Search

This Blog

Syndication

Adarsh Khare works at Microsoft. Everything here, though, is his personal opinion and is not read or approved by Microsoft before it is posted. No warranties or other guarantees will be offered as to the quality of the opinions or anything else offered here.
Page view tracker