Use client certificates to secure a portion of an ASP.NET Core web site

[Rick-Anderson]

Feedback for Optional client certificates

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 35b7960d-6de5-78ee-bc45-d7218239bbc8
• Version Independent ID: d2db534b-198a-dc99-5b5a-0525582d39ac
• Content: Configure certificate authentication in ASP.NET Core
• Content Source: aspnetcore/security/authentication/certauth.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @blowdart
• Microsoft Alias: bdorrans

[chadbruels]

create-child-certificate-from-root-certificate

I have been trying to follow this guide using an API with a single endpoint. I've created the root cert and then a child cert. I've added the root cert to the site binding in IIS and set certificates as Required in the sites SSL Settings. When I try to Post to the endpoint in Postman, I get this error: Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE

[soviarc]

I have looked at all the optional client certificate samples, but they all require a separate binding to accomplish this.

My use requires the same binding to be used, but based on the SNI set whether a client certificate is required. Currently I can accomplish this by setting:

ClientCertificateMode = ClientCertificateMode.AllowCertificate
with
AllowAnyClientCertificate()

and validating the client certificate downstream responding appropriately.

I would like to have client certificates required for aaa.com but not for bbb.com on port 443. The problem with the above config is that browsers, like Chrome, will request the user to select a client certificate, even though you can cancel the request and continue, it's not an ideal solution.

Surely if we can select the server certificate to present on the ServerCertificateSelector, we should be able to set if the client certificate is required or not per SNI?

[Tratcher]

5.0 Added this capability:
dotnet/aspnetcore#25390
dotnet/aspnetcore#24286
dotnet/aspnetcore#26242
dotnet/aspnetcore#26243

[davidfowl]

We need to doc this. Those issues don't make it easy to know how to accomplish this.

[Tratcher]

The doc issues are included in the links above. (Stop distracting Stephen with shiny things.)

[soviarc]

5.0 Added this capability:
dotnet/aspnetcore#25390
dotnet/aspnetcore#24286
dotnet/aspnetcore#26242
dotnet/aspnetcore#26243

Thank you very much, this works perfectly... I knew it should be possible, and following the PRs I could see that it was implemented, just wasn't sure how. Looking at one of the test cases provided the right answer for me, I do all the setup in code, not via the json config:

listenOptions.UseHttps((connection, stream, clientHelloInfo, state, cancellationToken) =>
new ValueTask(new SslServerAuthenticationOptions
{
ServerCertificate = _x509Certificate2,
ClientCertificateRequired = true,
RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true,
CertificateRevocationCheckMode = X509RevocationMode.NoCheck
}), state: null, HttpsConnectionAdapterOptions.DefaultHandshakeTimeout);

[serpent5]

I think this can be closed as the linked docs issues were completed. Let me know if there's work to do here.