Securing Web Services with SSL Client Certificates

Posted on by

I am posting this in the hopes that other poor souls writing .Net web service proxies to consume web services that require SSL client certificate authentication won’t waste days trying to figure out why their code isn’t working like every single related article on the web says it should.

According to just about every bit of information I could find on the web about using SSL client certificates with web service proxies, the following code should work:

Dim objCertificate As X509Certificate = X509Certificate.CreateFromCertFile(“C:\MyClientCert.cer”)
proxy.ClientCertificates.Add(objCertificate)

But that didn’t work for me, at least not out-of-the-box.

A bit more Googling uncovered this blog post by Kevin Hammond. The important points in his post were:

First, the certificate with the private key must be imported into your personal store.

When you import your certificate into the certificate store, you are presented with the option to “Enable strong private key protection. … Unfortuantely, enabling this option causes the .NET Framework to silently fail when accessing the private key of your certificate.

While this did not solve my problem (I had already done both of these things), it lead me to learn a bit more about this “personal store”. Among the things I learned is that there is a utility called WinHttpCertCfg.exe that can be used to manage the permissions of the certificate stores on your computer. Since my web service proxy was being called from an ASP.Net web page, the ASPNET user had to be given access to the certificate store containing the SSL client certificate.

But my SSL client certificate authentication was still not working. It had taken me the better part of a day to get to this point. What ended up taking me nearly three days to figure out was that there are a number of was to import SSL certificates into a certificate store. But only one way would work for my web service proxy. The break-through came from Matthew.DelVecchio who wrote in this news group post:

… added the Certifcates snap-in for the MMC windows management utility, and using it to delete my certs, re-add the .PFX into the “Personal” store, then exporting it to a .CER all w/ the MMC snap-in (and not using Control Panels -> Internet Settings or IE).

Hope this information helps someone out there save some time (and a little bit of sanity)!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>