ssl - How to send intermediate cert (in addition to leaf cert) from http client to the server in .net (core) 5?

Question

I was not able to make http client code in .net 5 to send both intermediate and leaf certificates (in 3 certificate hierarchy) to the server. However I was able to send the leaf certificate from client to the server successfully. Here is my setup:

I have 3 certificates on my windows box:

1. TestRoot.pem
2. TestIntermediate.pem
3. TestLeaf.pem (without private key for server - windows box)
4. TestLeaf.pfx (with private key for client - windows box)

The none of the above certificates were NOT added to windows certificate manager as I would like to be able to run the same code on non-windows machines eventually. For my testing, I am running following client and server code on the same windows box.

On my windows box, I have following simple client side code using .net 5:

HttpClientHandler handler = new HttpClientHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.SslProtocols = System.Security.Authentication.SslProtocols.Tls12;

X509Certificate2 leafCert = new X509Certificate2(File.ReadAllBytes(@"C:TempTestLeaf.pfx"), "<password>");

handler.ClientCertificates.Add(leafCert);

HttpClient httpClient = new HttpClient(handler);

StringContent content = new StringContent("{}"); //Test json string
content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue(MediaTypeNames.Application.Json);

//With local.TestServer.com resolving to localhost in the host file
HttpResponseMessage response = httpClient.PostAsync("https://local.TestServer.com/...", content).Result;

if (response.IsSuccessStatusCode)
{
    var responseString = response.Content.ReadAsStringAsync().Result;

    Console.WriteLine(responseString);
}
else
{
    Console.WriteLine(x.StatusCode);
    Console.WriteLine(x.ReasonPhrase);
}

On same window box, I have following example snippet of server side code using kestrel in .net 5:

services.Configure<KestrelServerOptions>(options =>
{
    // Keep track of what certs belong to each port
    var certsGroupedByPort = ...;
    var certsPerDistinctSslPortMap = ...;

    // Listen to each distinct ssl port a cert specifies
    foreach (var certsPerDistinctSslPort in certsPerDistinctSslPortMap)
    {
        options.Listen(IPAddress.Any, certsPerDistinctSslPort.Key, listenOptions =>
        {
            var httpsConnectionAdapterOptions = new HttpsConnectionAdapterOptions();
            httpsConnectionAdapterOptions.ClientCertificateValidation = (clientCertificate, chain, sslPolicyErrors) =>
            {
                bool trusted = false;
                if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors)
                {
                    chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;

                    X509Certificate2 certRoot = new X509Certificate2(@"C:TempTestRoot.pem");
                    X509Certificate2 certIntermdiate = new X509Certificate2(@"C:TempTestIntermediate.pem");

                    chain.ChainPolicy.CustomTrustStore.Add(certRoot);
                    chain.ChainPolicy.ExtraStore.Add(certIntermdiate);
                    trusted = chain.Build(clientCertificate);
                }

                return trusted;
            };
            httpsConnectionAdapterOptions.ServerCertificateSelector = (connectionContext, sniName) =>
            {
                var defaultCert = //Get default cert
                return defaultCert;
            };
            httpsConnectionAdapterOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
            httpsConnectionAdapterOptions.SslProtocols = SslProtocols.Tls12;

            listenOptions.UseHttps(httpsConnectionAdapterOptions);
        });
    }

    options.Listen(IPAddress.Any, listeningPort);
});

The above code works as expected because the client code sends the leaf certificate to the server and the server code has access to both intermediate as well as root certificates. The server code can successfully rebuild the certificate hierarchy with received leaf certificate and its configured intermediate and root certs for the leaf certificate.

My following attempt to send the intermediate certificate (along with leaf certificate) to the server (so that it can only use the root certificate and incoming leaf and intermediate certificates in the request to build the certificate hierarchy) failed.

1. Tried to add the intermediate certificate by doing following in my client code:

   X509Certificate2 leafCert = new X509Certificate2(File.ReadAllBytes(@"C:TempTestLeaf.pfx"), ""); X509Certificate2(Convert.FromBase64String(File.ReadAllText(@"C:TempTestIntermediate.pem"));

   handler.ClientCertificates.Add(leafCert); handler.ClientCertificates.Add(intermediateCert);

   This did not send the intermediate certificate to the server. I verified this with the code block for httpsConnectionAdapterOptions.ClientCertificateValidation on the server side.

Question: Is there a way to ensure that intermediate certificate is sent by the client (in addition to the leaf cert) to the server?

question from:https://stackoverflow.com/questions/65944295/how-to-send-intermediate-cert-in-addition-to-leaf-cert-from-http-client-to-the

Answer 1

Waitting for answers