HttpRequestMessage.GetClientCertificate() returns null in Web API

Question

I have a .NET4.5 WebAPI 2 app that uses SSL Client Certificates for some custom security related checks.

When debugging the app, request.GetClientCertificate(

Answer 1

I know it is a bit old but I was facing the same issue and i solved it by followinfgthis article:

https://improveandrepeat.com/2017/07/how-to-configure-iis-express-to-accept-ssl-client-certificates/

The problem was a configuration on the IIS server, which can be modified also on IIS express. I report it in case the link will not be available.

For IIS change the server configuration file, for IIS Express modify the file under your solution located in .vs\config\applicationhost.config

Search for an xml element called inside a element:

<security>
  <access sslFlags="None" />

The default configuration has no support for SSL client certificates. You need to modify the sslFlags attribute to include these options: Ssl, SslNegotiateCert, SslRequireCert

<security>
        <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />

The next step is to find the element :

<iisClientCertificateMappingAuthentication enabled="false"></iisClientCertificateMappingAuthentication>

If you change enabled to true, IIS Express will start accepting client certificates:

<iisClientCertificateMappingAuthentication enabled="true">
            </iisClientCertificateMappingAuthentication>

You now need to restart Visual Studio and IIS Express. IIS Express can be restarted using the icon in your system tray.

From now on you will be asked for a client certificate and you can debug the whole application inside Visual Studio. This may not look like a big improvement, but trust me, it makes debugging much simpler.

Hope this could help someone else :-)

Answer 2

Great detailed information about your problem.

I'm going to assume the issue is with attaching the client certificate w/ HttpClient, since you cannot view the certificate on the server side in that situation. All of the hosting and server side certificate configuration sounds good.

1. I would make sure that the X509Certificate2 cert variable that you are attaching is a public key that exists in your local certificate store (I'm not sure what store location you are storing this in) (you can check using mmc.exe). Also make sure that public key has a private key with it since the HttpClient will need that to sign the requests.

2. In your code snippet you have using (var handler = new WebRequestHandler()) before the rest of your code. Make sure you are constructing your HttpClient client = new HttpClient(handler) in the using as well or the handler will be disposed.

Otherwise the handler creation looks good.

Good luck!