I have a Web API service (4.5) and I am hoping to use certificate authentication between my client and service.
I have a (.net 3.5 console app) client that calls the Web API service. This has the following code:
//cert is generated from CA
var Cert = X509Certificate2.CreateFromCertFile(@"C:\Certs\MyCert.cer");
var request = WebRequest.Create("http://localhost:51319/api/Customer/1") as HttpWebRequest;
request.ClientCertificates.Add(Cert);
string response = new
StreamReader(request.GetResponse().GetResponseStream()).ReadToEnd();
On the web API side
I am hosting the Web API in IIS 7.5 I have added an Https binding and set IIS to accept certificates and Anon Access.
The Web API service then uses a Delegating Handler that looks for and validates certificate in the request:
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
//IsPresent is always false and there is no certificate present
if(!HttpContext.Current.Request.ClientCertificate.IsPresent)
{
//reject
}
But the problem is My certificate is not present in the request when I arrive on the service side.
sean.esq
Member
2 Points
3 Posts
Web Api with Certificate Security - Certificate not accessible in API
Dec 30, 2012 08:04 PM|LINK
Hi,
I have a Web API service (4.5) and I am hoping to use certificate authentication between my client and service.
I have a (.net 3.5 console app) client that calls the Web API service. This has the following code:
//cert is generated from CA var Cert = X509Certificate2.CreateFromCertFile(@"C:\Certs\MyCert.cer"); var request = WebRequest.Create("http://localhost:51319/api/Customer/1") as HttpWebRequest; request.ClientCertificates.Add(Cert); string response = new StreamReader(request.GetResponse().GetResponseStream()).ReadToEnd();On the web API side
I am hosting the Web API in IIS 7.5 I have added an Https binding and set IIS to accept certificates and Anon Access.
The Web API service then uses a Delegating Handler that looks for and validates certificate in the request:
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { //IsPresent is always false and there is no certificate present if(!HttpContext.Current.Request.ClientCertificate.IsPresent) { //reject }But the problem is My certificate is not present in the request when I arrive on the service side.
Where is it going?!
Thanks for your help.
BrockAllen
All-Star
27524 Points
4902 Posts
MVP
Re: Web Api with Certificate Security - Certificate not accessible in API
Dec 30, 2012 08:09 PM|LINK
.cer files usually just contain the public key. .pfx files contain the pub and private keys.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
sean.esq
Member
2 Points
3 Posts
Re: Web Api with Certificate Security - Certificate not accessible in API
Dec 30, 2012 08:58 PM|LINK
Hi,
Thanks for replying.
I have just updated my client to
but unfortunately I still cant see a certificate in the request, on the server side?
dbaier
Member
264 Points
66 Posts
MVP
Re: Web Api with Certificate Security - Certificate not accessible in API
Dec 31, 2012 10:08 AM|LINK
You should use Request.GetClientCertificate().
also - did you configure the app in IIS to accept or require client certs?
dominick
_____________________________
Dominick Baier - http://www.leastprivilege.com
sean.esq
Member
2 Points
3 Posts
Re: Web Api with Certificate Security - Certificate not accessible in API
Jan 02, 2013 07:56 AM|LINK
thanks thats working now. didnt set the ssl certificate setting, and didnt have the private key.