Working with SSL client certificates embedded in the Request Header
I assume you know that you can get the certificate data using
String s = Request.Headers["X-Client-Cert"];
The question is now in which format the certificate is added to the header. I would assume that it is encoded in Base64.
byte[] certdata = Convert.FromBase64String(s);
Then you can create the certificate object from it:
X509Certificate cert = new X509Certificate(certdata);
Depending on if the load balancer checks the client certificate for validity (and if it has been singed by the correct root CA) or not you have to check the validity of the certificate yourself or not.
Afterwards you can just read the serial number via cert.GetSerialNumber();
immutabl
Out-of-work actor writing code to make ends meet. C# Javascript ASP.Net MVC VRML T-SQL HyperScript Sinclair BASIC
Updated on June 04, 2022Comments
-
immutabl almost 2 years
To get around the problem of an SSL-terminating load balancer (it doesn't forward client certs to the application servers), our ISP has configured our environment such that client certificates are forwarded within the HTTP headers to the real servers (as X-Client-Cert).
I will be authenticating clients with a PIN mapped to the serial number of the certificate they've been issued with. But how do I get at the certificate from the custom header?
-
immutabl almost 12 yearsThanks, that looks perfect I will give it a go. I did try something similar initially but I got stuck because I forgot about decoding from base64. Just one thing - do you have any suggestions as to how I can recreate this scenario (certificates in headers) on my workstation for local development and testing?
-
Robert almost 12 yearsI assume that you have access the the certificate agency (CA) creating the certificates. Use it and issue one cert&private key for yourself. Install that in your browser and test it.
-
immutabl almost 12 yearsI've been doing that - well, using
makecert
to generate them locally. I was thinking more about testing process of converting the Base64 string from the header into the X509 certificate. -
Robert almost 12 yearsmakecert is designed to generate test certificates (self-signed). If you want to make client authentication via certificates you have to set-up your own PKI with an own CA. If you are not familiar with those terms please make yourself familiar with Public Key Infrastructures and how they work. Using the serial number without proper verification of the certificate is totally insecure.
-
immutabl almost 12 yearsFor dev purposes I've been following the steps here: yangsoft.com/blog/?p=105 to spoof a CA and use it to generate server and client certs. For production I will of course be using a proper CA and kosher certificates generated by certificate services. I'm a bit panicked now (its been a few days work!) Is there something wrong with this approach?
-
Robert almost 12 yearsInteresting approach. May work but it misses the possibility to revoke a certificate. Earlier or later you will need to revoke a user certificate. And AFAIK that can not be done with makecert.
-
immutabl almost 12 yearsI thought revocation would be easily be done with the 'real' certificates (generated by Certificate Services (
http://<server>/CertSrv
)) that I'll be using for production? Or am I missing something.