Developing applications with SSL client certificates are a challenge because there are so many little things that can go wrong. You quickly want to open the debugger, but that can be a challenge in itself, especially when the whole chain only works on a remote server. A much simpler way is to use IIS Express with a configuration that accepts SSL client certificates. This setup allows you to debug your application on your local machine without the need to configure the full IIS – at least as long as the errors are in your application.
Visual Studio configures all the necessary things (like your server certificate and the settings) when you select the SSL option for the web host.
The whole configuration is inside the solution folder in the .vs\config\applicationhost.config configuration file which you best open in a text editor outside of Visual Studio.
Search for an xml element called <access> inside a <security> element:
|
1 2 |
<security> <access sslFlags="None" /> |
The default configuration has no support for SSL client certificates. You need to modify the sslFlags attribute to include these options: Ssl, SslNegotiateCert, SslRequireCert
|
1 2 |
<security> <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" /> |
The next step is to find the element <iisClientCertificateMappingAuthentication>:
|
1 |
<iisClientCertificateMappingAuthentication enabled="false"></iisClientCertificateMappingAuthentication> |
If you change enabled to true, IIS Express will start accepting client certificates:
|
1 2 |
<iisClientCertificateMappingAuthentication enabled="true"> </iisClientCertificateMappingAuthentication> |
You now need to restart Visual Studio and IIS Express. IIS Express can be restarted using the icon in your system tray.
From now on you will be asked for a client certificate and you can debug the whole application inside Visual Studio. This may not look like a big improvement, but trust me, it makes debugging much simpler.
Nice article,
However, I am receiving
HTTP Error 403.16 – Forbidden
Your client certificate is either not trusted or is invalid.
Hi Max,
What browser do you use and in which version? Those change so quickly that it is hard to keep up with all their changes.
Thanks,
Johnny
Johnny,
What OS are you using?
This works with Windows 7 perfectly, but a colleague of mine is using Windows 10 and gets the 403.16 error.
That error says that there are non self-signed certs in the Trusted Root Certificate Authority store. Windows 10 seems to care about it, but Windows 7 does not.
Hi wvusaf,
I use Windows 10 with the 1803 build. I created a new certificate to authenticate myself and run into the same problem at first. I solved it by putting the CA certificate into the Computer certificate store as a trusted CA while my client certificate is in my personal certificate store. As soon as I put them in those different stores IIS Express stopped throwing the exception and I could access my client certificate in the request. Hope this helps you as well.
Regards,
Johnny
Thank you very much for this article. It did exactly what I was needing.