I'm using an HttpListener to create a very basic web server. I've got it setup to use SSL using the httpcfg tool to bind to the appropriate port and certificate. This seems to be working fine. I'd now like to use client certificate authentication. So I added a call to GetClientCertificate on the HttpListenerRequest object but it is always coming back with null. My test client is very simple:
HttpWebRequest webReq = (HttpWebRequest) WebRequest.Create("https://127.0.0.1:8080/ssltest/");
webReq.ClientCertificates.Add(new X509Certificate2("ssltest.pfx", "ssltest"));
webReq.GetResponse();
I noticed that the httpcfg tool has a flag that indicates if client certificates should be negotiated so I tried specifying that flag (-f 2) but I'm still not getting the client cert. I also came across this Microsoft support issue which seems pretty relevant but I'm using the latest .NET 2.0 service pack and I've also tried the httpcfg flag both of which should avoid the issue.
I am assuming I am missing something obvious here. Any ideas?
Edit: I just found this question which seems very relevant (maybe even a duplicate?). Unfortunately there is no accepted answer for that question either. The suggested answer makes a suggestion for something I already tried (httpcfg tool with the appropriate flag).
According to http://support.microsoft.com/kb/895971/en-us the HttpWebRequest.ClientCertificates.Add performs validation already so the cert fails validation on the client-side and never gets sent.
The above link contains code to relax the validation... NEVER use that in production!!!