Reputation: 71
Why isn't X509Certificate2Collection working in IIS?
I have written an ASP.NET MVC application. Within the application, I have written a rather simple method entitled GetClientCertificateCollection(). This method is supposed to simply return the current user's client certificates. When I execute this code in VisualStudio 2013 / IIS Express [debug mode], the logic works perfectly and I can process the user's X509 certificates without issue [I also retrieve the server's certificates, but I've written could to ignore them and only process through valid user certificates].
Unfortunately, when I deploy my solution to an instance of IIS on a web server, the method returns nothing; literally 0 certificates.
I have researched and tried a number of suggestions, but I have been unsuccessful in finding the smoking gun.
My IIS configuration is as follows: 1. Site is hosted as a sub-directory to the "Default Web Site". 2. Bindings - Port 443 enabled with an SSL certificate. 2. Authentication - All Disabled. 3. SSL Settings - Require SSL / Require.
I'm hopeful that someone can help point me in the right direction. Thanks in advance for your help.
public static X509Certificate2Collection GetClientCertificateCollection()
{
X509Store UserStore = new X509Store(StoreName.My, StoreLocation.CurrentUser)
try
{
UserStore.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certficate2Colllection certificatesInStore = UserStore.Certificates;
return certificatesInStore;
}
catch (Exception ex)
{
throw;
}
finally
{
UserStore.Close
}
}
Upvotes: 0
Views: 1507
Answers (2)
Reputation: 71
I have learned a lot since posting this question originally. I was overlooking some rather simple obstacles when I originally posted this question and I'm hoping that my answer can help those who may struggling with the same problems I was struggling with.
- The correct way to pull a browser certificate is to utilize the HttpContext.Current.Request.ClientCertificate. It was an incorrect approach to use the X509Store.
- If you are receiving a certificate not present when using HttpContext, investigate where you are making the call. If using an MVC application, this call cannot be made from Application_Start within global.asax.cs. Instead, add an Application_BeginRequest method to your global.asax.cs class and call HttpContext from this location.
Upvotes: 0
Reputation: 48230
I am almost 100% sure you just don't have any certificates as you don't put them into the app pool's identity profile.
In other words, you mistakenly assume your app works on IIS under the very same profile (your profile) while in fact the application pool has another, different identity set.
You have to inspect the settings of your application pool, locate the identity the pool runs under, log as this identity, access its cert store and put certificates there. This can be problematic if your app pool uses the APP POOL identity pool, you can't just log as an identity from this pool. In such case, you have to switch to the shared cert store (machine store) which is a single cert store accessed by any identity.
Upvotes: 3
Related Questions
- ASP.NET X509Certificate2 access denied when hosted in IIS
- X509Certificate2.CreateFromCertFile() on .NET Core
- X509Certificate2 crash IIS
- X509Certificate2 makes IIS crash
- Unable to Instantiate X509Certificate2 from Byte Array
- X509 Cannot find requested object
- Can not find the specified object with X509Certificate2
- name 'X509Certificate2UI' does not exist in the current context
- ASP.NET MVC: “An internal error occurred.” when loading certificate bytes with X509Certificate2
- X509Certificate2: Internal error