Mutual SSL Client Authentication

Posted by nordisk on Stack Overflow See other posts from Stack Overflow or by nordisk
Published on 2010-03-30T10:00:04Z Indexed on 2010/03/30 10:03 UTC
Read the original article Hit count: 1749

Hi,

I'm trying to achieve mutual SSL client authentication but without much success so far. Let me explain my scenario first:

I have a client certificate issued by an intermediate CA whose certificate in turn was issued by a root CA (the intermediate and root CAs are within the company's network). This is the certificate I am including as part of my call to the server (using the HttpWebRequest object). The server has imported my client certificate and it is one of the certificates presented to me. An important thing to note is that the server does not trust the intermediate CA or the root for that matter. What we're trying to achieve is authentication against the certificate directly, i.e. mutual authentication using my client certificate.

The error I'm getting is: "The request was aborted: Could not create SSL/TLS secure channel."

From my trace logs I also get the following:

System.Net Information: 0 : [3380] SecureChannel#34868631 - We have user-provided certificates. The server has specified 2 issuer(s). Looking for certificates that match any of the issuers.
System.Net Information: 0 : [3380] SecureChannel#34868631 - Left with 0 client certificates to choose from.

One of the certificates presented to us from the server is the same as our client certificate but the matching between them seems to fail. It looks like it's trying to verify the issuer.

Now to make things even more interesting:

  • If the server trusts and sends back the intermediate CA then everything works fine! (This is not an option for the production environment though I'm told)
  • Using jmeter to test the request works fine too. I can only assume that Java's SSL handshake implementation is somewhat different.

So it really comes down to this: Do you need to implement mutual SSL authentication differently from normal client SSL authentication?

Any ideas or comments would be greatly appreciated.

© Stack Overflow or respective owner

Related posts about c#

Related posts about ssl-certificate