Iis 服务器未收到自签名客户端证书
客户端证书:Iis 服务器未收到自签名客户端证书,iis,client-certificates,Iis,Client Certificates,客户端证书: X509Certificate2 clientCertificate = null; X509Store userCaStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); try { userCaStore.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificatesInStore = userCaStore.Certif
X509Certificate2 clientCertificate = null;
X509Store userCaStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
userCaStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificatesInStore = userCaStore.Certificates;
X509Certificate2Collection findResult = certificatesInStore.Find(X509FindType.FindByThumbprint, strClientCertThumbprint, true);
if (findResult.Count == 1)
{
clientCertificate = findResult[0];
}
}
catch
{
}
finally
{
userCaStore.Close();
}
if (clientCertificate != null)
{
X509Chain chain = new X509Chain();
var chainBuilt = chain.Build(clientCertificate);
Log.Write(LogLevel.Debug, string.Format("Chain building status: {0}", chainBuilt));
if (chainBuilt == false)
foreach (X509ChainStatus chainStatus in chain.ChainStatus)
Log.Write(LogLevel.Debug, string.Format("Chain error: {0} {1}", chainStatus.Status, chainStatus.StatusInformation));
WebRequestHandler handler = new WebRequestHandler();
X509Certificate certificate = clientCertificate;
handler.ClientCertificates.Add(certificate);
//handler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
m_httpClient = new HttpClient(handler);
Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] Client certificate retrieved successfully from the store.");
}
else
{
m_httpClient = new HttpClient();
Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] No client certificate found in the store.");
}
m_httpClient.BaseAddress = new Uri(strCimWebApiBaseAddress);
m_httpClient.DefaultRequestHeaders.Accept.Clear();
m_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
string strSettingsCsv = ConfigurationManager.AppSettings["Require HTTPS,Client cert thumbprint,Issuer,Subject"];
WebApiHelper.GetWebApiSecuritySettings(
strSettingsCsv,
out bool bRequireHttps,
out string strClientCertThumbnail,
out string strClientCertIssuer,
out string strClientCertSubject);
if (bRequireHttps && actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] HTTPS required, but request is not via HTTPS.");
return;
}
if (strClientCertThumbnail != null && strClientCertIssuer != null && strClientCertSubject != null)
{
var cert = actionContext.Request.GetClientCertificate();
if (cert == null)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate not present in the HTTP request."
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate required but not present in the HTTP request.");
return;
}
if (cert.Thumbprint != strClientCertThumbnail || cert.Issuer != strClientCertIssuer || cert.Subject != strClientCertSubject)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate cannot be validated."
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate in the HTTP request cannot be validated.");
return;
}
}
base.OnAuthorization(actionContext);
}
}
使用以下命令进行自签名:
测试CA:
makecert.exe -n "CN=My Test CA" -r -sv MyTestCA.pvk MyTestCA.cer
测试客户端证书:
makecert.exe -ic MyTestCA.cer -iv MyTestCA.pvk -pe -sv MyTestClientCert.pvk -a sha1 -n "CN=MyTestClientCert" -len 2048 -b 01/01/2015 -e 01/01/2030 -sky exchange MyTestClientCert.cer -eku 1.3.6.1.5.5.7.3.2
服务器:
X509Certificate2 clientCertificate = null;
X509Store userCaStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
userCaStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificatesInStore = userCaStore.Certificates;
X509Certificate2Collection findResult = certificatesInStore.Find(X509FindType.FindByThumbprint, strClientCertThumbprint, true);
if (findResult.Count == 1)
{
clientCertificate = findResult[0];
}
}
catch
{
}
finally
{
userCaStore.Close();
}
if (clientCertificate != null)
{
X509Chain chain = new X509Chain();
var chainBuilt = chain.Build(clientCertificate);
Log.Write(LogLevel.Debug, string.Format("Chain building status: {0}", chainBuilt));
if (chainBuilt == false)
foreach (X509ChainStatus chainStatus in chain.ChainStatus)
Log.Write(LogLevel.Debug, string.Format("Chain error: {0} {1}", chainStatus.Status, chainStatus.StatusInformation));
WebRequestHandler handler = new WebRequestHandler();
X509Certificate certificate = clientCertificate;
handler.ClientCertificates.Add(certificate);
//handler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
m_httpClient = new HttpClient(handler);
Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] Client certificate retrieved successfully from the store.");
}
else
{
m_httpClient = new HttpClient();
Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] No client certificate found in the store.");
}
m_httpClient.BaseAddress = new Uri(strCimWebApiBaseAddress);
m_httpClient.DefaultRequestHeaders.Accept.Clear();
m_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
string strSettingsCsv = ConfigurationManager.AppSettings["Require HTTPS,Client cert thumbprint,Issuer,Subject"];
WebApiHelper.GetWebApiSecuritySettings(
strSettingsCsv,
out bool bRequireHttps,
out string strClientCertThumbnail,
out string strClientCertIssuer,
out string strClientCertSubject);
if (bRequireHttps && actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] HTTPS required, but request is not via HTTPS.");
return;
}
if (strClientCertThumbnail != null && strClientCertIssuer != null && strClientCertSubject != null)
{
var cert = actionContext.Request.GetClientCertificate();
if (cert == null)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate not present in the HTTP request."
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate required but not present in the HTTP request.");
return;
}
if (cert.Thumbprint != strClientCertThumbnail || cert.Issuer != strClientCertIssuer || cert.Subject != strClientCertSubject)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate cannot be validated."
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate in the HTTP request cannot be validated.");
return;
}
}
base.OnAuthorization(actionContext);
}
}
Windows Server 2019。SSL设置:接受客户端证书。IIS
测试CA安装在受信任的根CA中,测试客户端证书安装在
- 本地计算机|个人和受信任的人
- 当前用户|个人和受信任的人
X509Certificate2 clientCertificate = null;
X509Store userCaStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
userCaStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificatesInStore = userCaStore.Certificates;
X509Certificate2Collection findResult = certificatesInStore.Find(X509FindType.FindByThumbprint, strClientCertThumbprint, true);
if (findResult.Count == 1)
{
clientCertificate = findResult[0];
}
}
catch
{
}
finally
{
userCaStore.Close();
}
if (clientCertificate != null)
{
X509Chain chain = new X509Chain();
var chainBuilt = chain.Build(clientCertificate);
Log.Write(LogLevel.Debug, string.Format("Chain building status: {0}", chainBuilt));
if (chainBuilt == false)
foreach (X509ChainStatus chainStatus in chain.ChainStatus)
Log.Write(LogLevel.Debug, string.Format("Chain error: {0} {1}", chainStatus.Status, chainStatus.StatusInformation));
WebRequestHandler handler = new WebRequestHandler();
X509Certificate certificate = clientCertificate;
handler.ClientCertificates.Add(certificate);
//handler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
m_httpClient = new HttpClient(handler);
Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] Client certificate retrieved successfully from the store.");
}
else
{
m_httpClient = new HttpClient();
Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] No client certificate found in the store.");
}
m_httpClient.BaseAddress = new Uri(strCimWebApiBaseAddress);
m_httpClient.DefaultRequestHeaders.Accept.Clear();
m_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
string strSettingsCsv = ConfigurationManager.AppSettings["Require HTTPS,Client cert thumbprint,Issuer,Subject"];
WebApiHelper.GetWebApiSecuritySettings(
strSettingsCsv,
out bool bRequireHttps,
out string strClientCertThumbnail,
out string strClientCertIssuer,
out string strClientCertSubject);
if (bRequireHttps && actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] HTTPS required, but request is not via HTTPS.");
return;
}
if (strClientCertThumbnail != null && strClientCertIssuer != null && strClientCertSubject != null)
{
var cert = actionContext.Request.GetClientCertificate();
if (cert == null)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate not present in the HTTP request."
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate required but not present in the HTTP request.");
return;
}
if (cert.Thumbprint != strClientCertThumbnail || cert.Issuer != strClientCertIssuer || cert.Subject != strClientCertSubject)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate cannot be validated."
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate in the HTTP request cannot be validated.");
return;
}
}
base.OnAuthorization(actionContext);
}
}
已找到证书,但“chainStatus.Status”具有“吊销功能无法检查证书的吊销情况。”
服务器代码:
X509Certificate2 clientCertificate = null;
X509Store userCaStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
try
{
userCaStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificatesInStore = userCaStore.Certificates;
X509Certificate2Collection findResult = certificatesInStore.Find(X509FindType.FindByThumbprint, strClientCertThumbprint, true);
if (findResult.Count == 1)
{
clientCertificate = findResult[0];
}
}
catch
{
}
finally
{
userCaStore.Close();
}
if (clientCertificate != null)
{
X509Chain chain = new X509Chain();
var chainBuilt = chain.Build(clientCertificate);
Log.Write(LogLevel.Debug, string.Format("Chain building status: {0}", chainBuilt));
if (chainBuilt == false)
foreach (X509ChainStatus chainStatus in chain.ChainStatus)
Log.Write(LogLevel.Debug, string.Format("Chain error: {0} {1}", chainStatus.Status, chainStatus.StatusInformation));
WebRequestHandler handler = new WebRequestHandler();
X509Certificate certificate = clientCertificate;
handler.ClientCertificates.Add(certificate);
//handler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
m_httpClient = new HttpClient(handler);
Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] Client certificate retrieved successfully from the store.");
}
else
{
m_httpClient = new HttpClient();
Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] No client certificate found in the store.");
}
m_httpClient.BaseAddress = new Uri(strCimWebApiBaseAddress);
m_httpClient.DefaultRequestHeaders.Accept.Clear();
m_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
string strSettingsCsv = ConfigurationManager.AppSettings["Require HTTPS,Client cert thumbprint,Issuer,Subject"];
WebApiHelper.GetWebApiSecuritySettings(
strSettingsCsv,
out bool bRequireHttps,
out string strClientCertThumbnail,
out string strClientCertIssuer,
out string strClientCertSubject);
if (bRequireHttps && actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] HTTPS required, but request is not via HTTPS.");
return;
}
if (strClientCertThumbnail != null && strClientCertIssuer != null && strClientCertSubject != null)
{
var cert = actionContext.Request.GetClientCertificate();
if (cert == null)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate not present in the HTTP request."
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate required but not present in the HTTP request.");
return;
}
if (cert.Thumbprint != strClientCertThumbnail || cert.Issuer != strClientCertIssuer || cert.Subject != strClientCertSubject)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate cannot be validated."
};
Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate in the HTTP request cannot be validated.");
return;
}
}
base.OnAuthorization(actionContext);
}
}
服务器总是返回403,“客户端证书在HTTP请求中不存在””看一看:链接提到了一个pfx证书,但我下载的是一个“.cer”文件?