MutualTLS authentication in C# for httpclient

[vamshimupparaju]

Hi Friends,

Can you please help me in this from past few days I am trying to resolve the below scenario.

I have private key and certificate key using this I have to do the mutual authentication and send request to one of my end point.

below is the code I am trying to work on but some how I am getting 401 unauthorized issue.

        string keyPem = privateKeyString;
        byte[] keyDer = Convert.FromBase64String(keyPem);
        
        X509Certificate2 certWithKey;
        byte[] keycer = Encoding.ASCII.GetBytes(certString);
        X509Certificate2 certOnly = new X509Certificate2(keycer);
        System.Security.Cryptography.RSA rsa = RSA.Create();
     
        rsa.ImportPkcs8PrivateKey(keyDer, out _);
        certWithKey = certOnly.CopyWithPrivateKey(rsa);

        var certificate = new X509Certificate2(certWithKey.Export(X509ContentType.Pfx));

       HttpClientHandler httpClientHandler = new HttpClientHandler();
        httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
        httpClientHandler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;


        httpClientHandler.ClientCertificates.Add(certificate);
        httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;

        HttpClient httpClient = new HttpClient(httpClientHandler);

        string _ContentType = "application/x-www-form-urlencoded";
        httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(_ContentType));
        HttpResponseMessage httpResponseMessage = await httpClient.PostAsync("endpointurl", null);

Please help me in this whether I am doing anything wrong in the above

@karelz @henning-krause @bartonjs @davidsh @Drawaes @npnelson @stephentoub @jhudsoncedaron

Thanks & Regards,
Vamshi Krishna

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Hi Friends,

Can you please help me in this from past few days I am trying to resolve the below scenario.

I have private key and certificate key using this I have to do the mutual authentication and send request to one of my end point.

below is the code I am trying to work on but some how I am getting 401 unauthorized issue.

    ****string keyPem = privateKeyString;
    byte[] keyDer = Convert.FromBase64String(keyPem);
    
    X509Certificate2 certWithKey;
    byte[] keycer = Encoding.ASCII.GetBytes(certString);
    X509Certificate2 certOnly = new X509Certificate2(keycer);
    System.Security.Cryptography.RSA rsa = RSA.Create();
 
    rsa.ImportPkcs8PrivateKey(keyDer, out _);
    certWithKey = certOnly.CopyWithPrivateKey(rsa);

    var certificate = new X509Certificate2(certWithKey.Export(X509ContentType.Pfx));

   HttpClientHandler httpClientHandler = new HttpClientHandler();
    httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
    httpClientHandler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;


    httpClientHandler.ClientCertificates.Add(certificate);
    httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;

    HttpClient httpClient = new HttpClient(httpClientHandler);

    string _ContentType = "application/x-www-form-urlencoded";
    httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(_ContentType));
    HttpResponseMessage httpResponseMessage = await httpClient.PostAsync("endpointurl", null);****

Please help me in this whether I am doing anything wrong in the above

@karelz @henning-krause @bartonjs @davidsh @Drawaes @npnelson @stephentoub @jhudsoncedaron

Thanks & Regards,
Vamshi Krishna

Author:	vamshimupparaju
Assignees:	-
Labels:	area-System.Net.Http, untriaged
Milestone:	-

[wfurt]

Do you see the certificate on the wire? And possibly all the intermediate certificate? It is difficult to know why you get 401 from server without seeing server logs. Is there any other authentication layer?

You can also look at #26323
As test, you can add intermediate certificates (if any) to Users's Ca store.

[jhudsoncedaron]

Please don't ping me on arbitrary TLS threads. I am unlikely to be of much use.

[karelz]

@vamshimupparaju please do not spam directly contributors and team members. Especially not on all channels -- I got email from you, Twitter DM, 2 issues on my web site GH project and runtime issue here and runtime discussion topic -- please do not tag specific people in future anywhere and use only 1 (appropriate) channel - runtime repo in this case. Do not go around to chase down people, it is not appropriate.

As I mentioned in Twitter DM, we do not support/debug specific applications for users. If you have isolated problem where you suspect problem with .NET, this is the right forum. If you need help with your specific application or if you need ASAP answer, StackOverflow or paid Microsoft support (or similar alternatives) are better options.

[ghost]

This issue has been marked needs-author-action since it may be missing important information. Please refer to our contribution guidelines for tips on how to report issues effectively.

[karelz]

Triage: No response in 2 weeks, not enough info. Closing as not actionable.
Feel free to reopen if/when there is more info. Thanks!