0

Setup: a .NET (4.6) client application connects to a remote SOAP service over HTTPS. The remote service can be configured to require a a client certificate or not.

What I am looking as an answer is any possible explanation of why scenario #2 fails ... the following 3 scenarios were all tested using exactly the same code base, only changing the certificates involved and whether or not a client certificate was required by the service.

Scenario #1 - no client certificate required

  • client connects OK

Scenario #2 - client certificate required, certificate A used

  • certificate A is installed in Windows on client side (local computer store)
  • certificate is valid, 2048 bits, non-wildcard, used successfully for server authentication in another unrelated service, issued by GoDaddy Secure Certificate Authority - G2
  • certificate is shared with the remote party who seem to know what they are doing
  • when client attempts request, handshake fails. On the client side the .NET exception is "The request was aborted: Could not create SSL/TLS secure channel.". On the server side the error is "client failed to present a certificate".

Scenario #3 - client certificate required, certificate B used

  • everything is exactly the same as #2 except a different client certificate is used (B)
  • certificate is valid, 2048 bits, wildcard, used successfully for server authentication in another unrelated service, issued by GeoTrust RSA CA 2018
  • client connects OK

What we can see from logs is that in both scenario #2 and #3, the client and server negotiate to use TLS 1.2.

After running the above multiple times, checking everything, my only conclusion is that certificate A is somehow not compatible with the setup - either the .NET client decides not to present it, or the service cannot accept it. But what could possibly be different/missing?

Laurence
  • 241
  • 2
  • 9
  • As you analyze yourself, the problem may be with a certificate that is incompatible or unrecognized by the server. –  Aug 27 '21 at 05:32
  • Right, but what would make a certificate incompatible or unrecognized, when the same certificate works successfully for server authentication in another unrelated service? – Laurence Aug 27 '21 at 07:05
  • There are many cases where certificates are incompatible. For example: 1. The domain name of the SSL certificate is inconsistent with the website address. 2. Site certificates are not issued by trusted organizations. 3. The website certificate has expired or has not taken effect. 4. The page contains unsafe content. 5. An SSL connection error is displayed when browsing the Web page. –  Aug 31 '21 at 06:28
  • I guess #1 and #2 could apply here - I'll check. The cert has not expired, so not #3. As per the post, the error occurs during the handshake between the WCF client and the SOAP service, so there are no web pages involved here. – Laurence Aug 31 '21 at 08:14
  • Just a guess: have you checked that the client's user account has read access to the private key of certificate A? – Steeeve Aug 31 '21 at 16:51
  • Thanks @Steeeve but the read permissions on cert A and B private keys are identical, and they are in the same Windows store folder. – Laurence Aug 31 '21 at 17:09
  • A packet capture on the client can confirm if a certificate is presented. Also enabled and check the Windows CAPI event log. – Greg Askew Sep 04 '21 at 21:46

0 Answers0