HttpClient isn't using Client Certificate for Mutual TLS Auth

Question

Question

Why will my HttpClient instance not use my provided client certificate for mutual auth?

Background

I'm using HttpClient to do mutual TLS. As the client, I'm adding a client certificate to a WebRequestHandler and then using that handler in the new HttpClient.

The certificate is not installed on my machine. I've successfully loaded it into the handler and can see it when debugging (the password is correct, too).

I'm testing against a couple of different test domains

• https://client.badssl.com/ - this looks for client auth using the cert found here. This is the cert I'm currently using
• https://prod.idrix.eu/secure/ - this one simply spits back out any client cert presented.

Both testing apps are showing no cert is being sent.

Code

    var clientCert = new X509Certificate2("badssl.pem", "badssl.com");

    var webHandler = new WebRequestHandler();
    webHandler.ClientCertificates.Add(clientCert);
    var httpClient = new HttpClient(webHandler);

    var result = await (await httpClient.GetAsync(uri)).Content.ReadAsStringAsync();

Answer 1

The X509Certificate2 class doesn't look to be reading in the private key from the PEM cert.

    var clientCert = new X509Certificate2("badssl.com-client.pem", "badssl.com");
    if(!clientCert.HasPrivateKey)
        throw new ApplicationException("Cert doesn't contain private key");

Does throwing an error.

In the case of badssl.com, they do have a PKCS #12 cert available (aka PFX). I was able to get your code to work with that cert.