科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>asp.net core - Certificate based authentication failed with ERR_BAD_SSL_CLIENT_AUTH_CERT - Stack Overflow

    asp.net core - Certificate based authentication failed with ERR_BAD_SSL_CLIENT_AUTH_CERT - Stack Overflow

    programmeradmin0浏览0评论

    I'm trying to implement Certificate based authentication with ASP.NET Core 9 following the official documentation: Configure certificate authentication in ASP.NET Core

    I've come up with this basic implementation:

    using Microsoft.AspNetCore.Authentication.Certificate;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.AspNetCore.Server.Kestrel.Https;

var builder = WebApplication.CreateBuilder(args);

builder.Services.Configure<KestrelServerOptions>(options =>
{
    options.ConfigureHttpsDefaults(options =>
    {
        options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
    });
});

builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
    .AddCertificate(options =>
    {
        options.AllowedCertificateTypes = CertificateTypes.All;

        options.Events = new CertificateAuthenticationEvents
        {
            OnCertificateValidated = context =>
            {
                Console.WriteLine($"Validating: {context.ClientCertificate.Subject}");

                if (context.ClientCertificate.Subject == "Pragmateek")
                    context.Success();
                else
                    context.Fail("Invalid certificate.");

                return Task.CompletedTask;
            }
        };
    });

var app = builder.Build();

app.UseAuthentication();

app.MapGet("/", () => "Hello World!");

app.Run();

    When requesting the resource from Chrome I get a popup asking me to choose a certificate, I choose one generated with New-SelfSignedCertificate -Subject "CN=Pragmateek" -CertStoreLocation cert:\CurrentUser, but I get a ERR_BAD_SSL_CLIENT_AUTH_CERT error.

    And the validation code in OnCertificateValidated is never called.

    If it matters the project was created with the basic template dotnet new web --name ... and is run with dotnet run --launch-profile https (and running it with Visual Studio does not change anything).

    What plumbing is missing?

    I'm trying to implement Certificate based authentication with ASP.NET Core 9 following the official documentation: Configure certificate authentication in ASP.NET Core

    I've come up with this basic implementation:

    using Microsoft.AspNetCore.Authentication.Certificate;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Microsoft.AspNetCore.Server.Kestrel.Https;

var builder = WebApplication.CreateBuilder(args);

builder.Services.Configure<KestrelServerOptions>(options =>
{
    options.ConfigureHttpsDefaults(options =>
    {
        options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
    });
});

builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
    .AddCertificate(options =>
    {
        options.AllowedCertificateTypes = CertificateTypes.All;

        options.Events = new CertificateAuthenticationEvents
        {
            OnCertificateValidated = context =>
            {
                Console.WriteLine($"Validating: {context.ClientCertificate.Subject}");

                if (context.ClientCertificate.Subject == "Pragmateek")
                    context.Success();
                else
                    context.Fail("Invalid certificate.");

                return Task.CompletedTask;
            }
        };
    });

var app = builder.Build();

app.UseAuthentication();

app.MapGet("/", () => "Hello World!");

app.Run();

    When requesting the resource from Chrome I get a popup asking me to choose a certificate, I choose one generated with New-SelfSignedCertificate -Subject "CN=Pragmateek" -CertStoreLocation cert:\CurrentUser, but I get a ERR_BAD_SSL_CLIENT_AUTH_CERT error.

    And the validation code in OnCertificateValidated is never called.

    If it matters the project was created with the basic template dotnet new web --name ... and is run with dotnet run --launch-profile https (and running it with Visual Studio does not change anything).

    What plumbing is missing?

    • asp-core
    • -core
    • certificate
    • client-certificates
    Share Improve this question asked Jan 19 at 21:43 PragmateekPragmateek 13.4k9 gold badges76 silver badges111 bronze badges 2
    • Try to add the new option for the certificate auth options.RevocationMode = X509RevocationMode.NoCheck; . – Brando Zhang Commented Jan 20 at 7:24
    • Thanks for your comment, but it did not work with this setting either. I've found a workaround, see my answer. – Pragmateek Commented Jan 20 at 19:40
    Add a comment  | 

    1 Answer 1

    Reset to default 0

    The issue is that Kestrel seems to use a default client certificate validation which rejects the certificates, probably because they are self-signed.

    The solution was to allow any certificate with options.AllowAnyClientCertificate(); which overwrites ClientCertificateValidation with a truthy callback:

    builder.Services.Configure<KestrelServerOptions>(options =>
{
    options.ConfigureHttpsDefaults(options =>
    {
        options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
        options.AllowAnyClientCertificate();
    });
});

    EDIT: another way of having the certificate accepted is to trust it by adding it to the Windows Trust Store "Trusted Root Certification Authorities":

    Move-Item cert:\CurrentUser\My\B45606C0ACC9365D12172AF3E0C54BAAAAA27833 cert:\CurrentUser\Root

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论