Could not create SSL/TLS secure channel even with certificate

Question

I've been working on a .Net client (4.5 Framework) that needs to send a certificate to the web service for authentication. I have read up and tried several suggestions including Cannot find the certificate in either the LocalMachine store or the CurrentUser store which seems to most closely resemble my issue but am still receiving "System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.". I've been running this on my local machine under my own user account as well as a Windows Server 2008 SP2 with the same certificate installed into the same store but having the same effect. I also read somewhere that the protocol can have an effect so I have also allowed that to be configurable via command line argument to switch between TLS12, TLS11, TLS and SSL3 all produce the same error.

Here is an excerpt from my code where I verify I can first find the certificate

X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
Console.WriteLine("X509 Store: Root/LocalMachine");
store.Open(OpenFlags.ReadOnly | OpenFlags.IncludeArchived);
X509Certificate2 cert = null;
foreach (var c in store.Certificates)
{
    if (!string.IsNullOrEmpty(c.Thumbprint) && 
        c.Thumbprint.ToUpper().Equals(thumbprint))
    {
        cert = c;
        Console.WriteLine("!!! Found certificate !!!, Subject [{0}]", c.Subject);
        break;
    }
}

Next is the creating of the client and call.

reqClient = new WebServiceClient("HTTPS_Port");
if (reqClient.ClientCredentials != null)
{
    reqClient.ClientCredentials.ClientCertificate.SetCertificate(
        StoreLocation.LocalMachine,
        StoreName.Root,
        X509FindType.FindByThumbprint,
        thumbprint);
    Console.WriteLine("Connecting with protocol [{0}] to [{1}] with certificate [{2}]",
        protocol,
        reqClient.Endpoint.Address,
        reqClient.ClientCredentials.ClientCertificate.Certificate.SubjectName.Name);
    reqClient.SubmitRequest(CreatePmResponseComplex());
    reqClient.Close();
}

And the configurations...

<wsHttpBinding>
  <binding name="ServiceBinding1">
    <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
    </security>
  </binding>
</wsHttpBinding>                    

<endpoint address="https://www.url.com"
        binding="wsHttpBinding"
        bindingConfiguration="ServiceBinding1"
        contract="SubmitRequest"
        name="HTTPS_Port"/> 

Finally here is the tracelog sfrom the run...

System.Net Verbose: 0 : [6620] Exiting HttpWebResponse#37251161::GetResponseStream()    -> ConnectStream#41421720
System.Net Information: 0 : [6620] TlsStream#66824994::.ctor(host=blahblah.com, #certs=1)
System.Net Information: 0 : [6620] Associating HttpWebRequest#60068066 with ConnectStream#64554036
System.Net Information: 0 : [6620] HttpWebRequest#60068066 - Request: GET /XISOAPAdapter/MessageServlet?senderParty=&senderService=DWN_DEV_TAS_PIDX_RHINE_000&receiverParty=&receiverService=&interface=PlannedMovement_PIDX_OB&interfaceNamespace=urn%3Abp%3Axi%3Adwn%3Arm%3Apf%3Atasrhine%3Alogistics%3A100 HTTP/1.1

System.Net Information: 0 : [6620] ConnectStream#64554036 - Sending headers
{
Host: blahblah.com:6057
Connection: Keep-Alive
}.
System.Net Information: 0 : [6620] SecureChannel#61494432::.ctor(hostname=blahblah.com, #clientCertificates=1, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [6620] Enumerating security packages:
System.Net Information: 0 : [6620]     Negotiate
System.Net Information: 0 : [6620]     NegoExtender
System.Net Information: 0 : [6620]     Kerberos
System.Net Information: 0 : [6620]     NTLM
System.Net Information: 0 : [6620]     Schannel
System.Net Information: 0 : [6620]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [6620]     WDigest
System.Net Information: 0 : [6620]     TSSSP
System.Net Information: 0 : [6620]     pku2u
System.Net Information: 0 : [6620]     CREDSSP
System.Net Information: 0 : [6620] SecureChannel#61494432 - Attempting to restart the session using the user-provided certificate: [Version]
  V3

[Subject]
  CN=blahblah.com, O=Acme Inc., L=Uxbridge, S=NA, C=GB
  Simple Name: blahblah.com
  DNS Name: blahblah.com

[Issuer]
  CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
  Simple Name: Entrust Certification Authority - L1C
  DNS Name: Entrust Certification Authority - L1C

[Serial Number]
  4C228C32

[Not Before]
  3/31/2014 10:39:58 AM

[Not After]
  4/1/2016 5:00:11 AM

[Thumbprint]
  A501A402E2DD69F2A6EE93C84859F198B7D99045

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 af d2 bf da 79 de 34 05 78 69 63 b3 2f f9 6f 90 ea d0 55 4d 6f 73 99 02 f9 e6 4a 53 17 81 02 dd 25 59 c8 f3 19 fa cf 6e ce a5 24 7d 5d 13 a4 22 b3 e8 91 06 2b a2 ee 2f e7 c8 51 63 10 e4 f2 3a 78 12 19 0c 60 65 c4 74 5e e7 49 1f 8e 28 cf 46 1d 4b 7a d8 95 23 96 1d 62 a0 c3 f....
System.Net Information: 0 : [6620] SecureChannel#61494432 - Left with 1 client certificates to choose from.
System.Net Information: 0 : [6620] SecureChannel#61494432 - Trying to find a matching certificate in the certificate store.
System.Net Information: 0 : [6620] SecureChannel#61494432 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=blahblah.com, O=Acme Inc., L=Uxbridge, S=NA, C=GB
  Simple Name: blahblah.com
  DNS Name: blahblah.com

[Issuer]
  CN=Entrust Certification Authority - L1C, OU="(c) 2009 Entrust, Inc.", OU=www.entrust.net/rpa is incorporated by reference, O="Entrust, Inc.", C=US
  Simple Name: Entrust Certification Authority - L1C
  DNS Name: Entrust Certification Authority - L1C

[Serial Number]
  4C228C32

[Not Before]
  3/31/2014 10:39:58 AM

[Not After]
  4/1/2016 5:00:11 AM

[Thumbprint]
  A501A402E2DD69F2A6EE93C84859F198B7D99045

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 af d2 bf da 79 de 34 05 78 69 63 b3 2f f9 6f 90 ea d0 55 4d 6f 73 99 02 f9 e6 4a 53 17 81 02 dd 25 59 c8 f3 19 fa cf 6e ce a5 24 7d 5d 13 a4 22 b3 e8 91 06 2b a2 ee 2f e7 c8 51 63 10 e4 f2 3a 78 12 19 0c 60 65 c4 74 5e e7 49 1f 8e 28 cf 46 1d 4b 7a d8 95 23 96 1d 62 a0 c3 f....
System.Net Information: 0 : [6620] SecureChannel#61494432 - Cannot find the certificate in either the LocalMachine store or the CurrentUser store.
System.Net Information: 0 : [6620] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [6620] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = blahblah.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [6620] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=127, returned code=ContinueNeeded).
System.Net Information: 0 : [6620] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 72a100:57ba210, targetName = blahblah.com, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
System.Net Information: 0 : [6620] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=AlgorithmMismatch).
System.Net Error: 0 : [6620] Exception in HttpWebRequest#60068066:: - The request was aborted: Could not create SSL/TLS secure channel..

I'm just not understanding how the program can find the certificate, I see references to it in the tracelog but it never attaches to the request.

Answer 1

The Program attaches the certificate from the local Machine Store by:

reqClient.ClientCredentials.ClientCertificate.SetCertificate(
    StoreLocation.LocalMachine,
    StoreName.Root,
    X509FindType.FindByThumbprint,
    thumbprint);

I am using StoreName.My As Richard pointing out, the user need access to the private key from that certificate.

technet: how give user permission to a certificate in local machine store

1. enroll certificate to a computer store
2. assign Read on private key for a user accont under which your service runs

To archive 2. When you got the certificate in the Personal container, right-click on certificate and select All Tasks -> Manage Private Keys. You will see private key permission editor. Grant Read permissions to User/Network Service account