I’m attempting to use an HttpWebRequest to query a remote server running nginx. I need to provide a client certificate to complete the connection.
I’m doing the following:
Dim Request As HttpWebRequest = DirectCast(WebRequest.Create(Url), HttpWebRequest)
Dim Cert = SSL.GetClientCertificate()
Request.ClientCertificates.Clear()
Request.ClientCertificates.Add(Cert)
Dim Response As WebResponse = Request.GetResponse()
(SSL.GetClientCertificate is just a helper method which opens the My store on the Local machine and retrieves the appropriate certificate (as an X509Certificate2). The correct certificate is being returned. I’ve also tried just loading in the certificate from a file with identical results.)
As things stand, when I get to the Dim Response As... and it actually attempts to open the connection, I get a 400 Bad Request returned with the following body:
400 Bad Request
No required SSL certificate was sent
-----------------------------------
nginx/1.0.10
We’re using our own CA which has a certificate in the LocalMachine\TrustedRootCertificationAuthorities on my machine. The client certificate is valid but fails verification as our CA doesn’t expose an OCSP endpoint. If I create an X509Chain and ask it to verify the chain without checking for revocation, everything passes.
So my question is… Why isn’t the certificate being sent with the request? I don’t believe it should be attempting to verify the client certificate before sending it (that’s the servers job).
I won’t deluge you in Wireshark logs but the client isn’t sending the certificate. In short, I get …
- [Out] Client Hello
- [In] Server Hello
- [In] Certificate
- [In] Server Hello Done
- [Out] Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
- [In] Change Cipher Spec, Encrypted Handshake Message
- [Out] Application Data (Presumably the GET request)
- [In] Application Data (Presumably the 400)
- [In] Encrypted Alert (Terminates the channel)
I think nginx is doing something clever where instead of dying when I fail to send the certificate, it renegotiates to allow it to send a 400 response body (instead of failing to create a channel in the first place)
In any case, I’m not sending the certificate which is the real issue. Does anyone know why?
In case it helps, nginx’s logs insist no certificate is being sent (as opposed to a cert being invalid):
2012/11/22 14:16:26 [info] 27755#0: *799 client sent no required SSL certificate while reading client request headers, client: 10.0.0.200, server: 10.0.0.100, request: "GET /state HTTP/1.1", host: "10.0.0.100"
Please do not use the code below – it’s inefficient, unreliable and was only used for testing
Re: Getting the Certificate:
Public Shared Function GetClientCertificate() As X509Certificate2
Dim Store As New X509Store(StoreName.My, StoreLocation.LocalMachine)
Dim Ret As X509Certificate2 = Nothing
Try
Store.Open(OpenFlags.ReadOnly Or OpenFlags.OpenExistingOnly)
For Each Certificate In Store.Certificates
If Certificate.SubjectName.Name = "The subjectname of our certificate" Then
Ret = Certificate
Exit For
End If
Next
Finally
Store.Close()
End Try
Return Ret
End Function
You need a certificate with an accessible private key in order to be able to use it as client (or server, for that matter) certificate.
It is OK to store the certificate in the machine certificate store, as long as you grant any user that requires to use the certificate access to its private keys. You cannot authenticate a client using a .cer, because that only contains the public key. You can test everything by installing the client certificate for your user, and accessing the URL using a browser. If you get a popup to select the certificate, it’s installed correctly (for that user).