的WebAPI的HttpClient不发送客户端证书 [英] WebApi HttpClient not sending client certificate

问题描述

我想确保我的REST风格的WebAPI服务，SSL和客户端身份验证使用客户端证书。

I am trying to secure my RESTful WebApi service with ssl and client authentication using client certificates.

要测试;我已经生成的自签名证书并将其放置在本地计算机上，受信任的根证书颁发机构文件夹，我已经产生了服务器和客户证书。 标准HTTPS到服务器的工作没有问题。

To test; I have generated a self signed certificate and placed in the local machine, trusted root certification authorities folder and i have generated a "server" and "client" certificates. Standard https to the server works without issue.

不过，我有一些code服务器验证证书，这不会被调用时，我使用我的测试客户端，它提供我的客户证书和测试客户端返回一个403禁止状态。

However I have some code in the server to validate the certificate, this never gets called when I connect using my test client which supplies my client certificate and the test client is returned a 403 Forbidden status.

这imples才达到我的验证code服务器失败我的证件。 但是，如果我火了小提琴手它知道客户端证书是必需的，并要求我提供一个我的文档\ Fiddler2。我把它在我的测试客户端使用相同的客户端证书，我的服务器现在的工作，并获得了客户端证书我期待！ 这意味着客户端的WebAPI没有正确发送的证书，我的客户code以下是pretty的多，我已经找到了相同的其他例子。

This imples the server is failing my certificate before it reaches my validation code. However if i fire up fiddler it knows a client certificate is required and asks me to supply one to My Documents\Fiddler2. I gave it the same client certificate i use in my test client and my server now works and received the client certificate i expect! This implies that the WebApi client is not properly sending the certificate, my client code below is pretty much the same as other examples i have found.

    static async Task RunAsync()
    {
        try
        {
            var handler = new WebRequestHandler();
            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
            handler.ClientCertificates.Add(GetClientCert());
            handler.ServerCertificateValidationCallback += Validate;
            handler.UseProxy = false;

            using (var client = new HttpClient(handler))
            {
                client.BaseAddress = new Uri("https://hostname:10001/");

                client.DefaultRequestHeaders.Accept.Clear();
                client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/xml"));

                var response = await client.GetAsync("api/system/");
                var str = await response.Content.ReadAsStringAsync();

                Console.WriteLine(str);
            }
        } catch(Exception ex)
        {
            Console.Write(ex.Message);
        }
    }

任何想法，为什么它会工作的小提琴手，但不是我的测试客户端？

Any ideas why it would work in fiddler but not my test client?

编辑：这是code到GetClientCert（）

Here is the code to GetClientCert()

private static X509Certificate GetClientCert()
    {            
        X509Store store = null;
        try
        {
            store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);

            var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "Integration Client Certificate", true);

            if (certs.Count == 1)
            {
                var cert = certs[0];
                return cert;
            }
        }
        finally
        {
            if (store != null) 
                store.Close();
        }

        return null;
    }

当然测试code不处理空证书，但我调试到enssure了正确的证书所在。

Granted the test code does not handle a null certificate but i am debugging to enssure that the correct certificate is located.

推荐答案

是您code以上的提琴手在运行相同的用户帐户下运行？如果不是，它可以访问证书文件但不正确的私钥。同样，什么是你的 GetClientCert（）函数返回？具体而言，它有一个 PrivateKey 属性设置？

Is your code above running in the same user account that Fiddler's running in? If not, it may have access to the certificate file but not the correct private key. Similarly, what does your GetClientCert() function return? Specifically, does it have the PrivateKey property set?

这篇关于的WebAPI的HttpClient不发送客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！