服务器未收到自签名客户端证书

Question

客户端证书：

自签名，使用以下命令制作：

测试 CA：

makecert.exe -n "CN=My Test CA" -r -sv MyTestCA.pvk MyTestCA.cer

测试客户端证书：

makecert.exe -ic MyTestCA.cer -iv MyTestCA.pvk -pe -sv MyTestClientCert.pvk -a sha1 -n "CN=MyTestClientCert" -len 2048 -b 01/01/2015 -e 01/01/2030 -sky exchange MyTestClientCert.cer -eku 1.3.6.1.5.5.7.3.2

服务器：

Windows Server 2019。SSL 设置：接受客户端证书。 IIS。

测试CA安装在受信任的根CA中，测试客户端证书安装在

• 本地计算机 |个人和可信赖的人
• 当前用户 |个人和可信赖的人

客户端代码：

X509Certificate2 clientCertificate = null;
X509Store userCaStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);

try
{
    userCaStore.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection certificatesInStore = userCaStore.Certificates;
    X509Certificate2Collection findResult = certificatesInStore.Find(X509FindType.FindByThumbprint, strClientCertThumbprint, true);

    if (findResult.Count == 1)
    {
        clientCertificate = findResult[0];
    }
}
catch
{
}
finally
{
    userCaStore.Close();
}

if (clientCertificate != null)
{
    X509Chain chain = new X509Chain();
    var chainBuilt = chain.Build(clientCertificate);
    Log.Write(LogLevel.Debug, string.Format("Chain building status: {0}", chainBuilt));

    if (chainBuilt == false)
        foreach (X509ChainStatus chainStatus in chain.ChainStatus)
            Log.Write(LogLevel.Debug, string.Format("Chain error: {0} {1}", chainStatus.Status, chainStatus.StatusInformation));

    WebRequestHandler handler = new WebRequestHandler();
    X509Certificate certificate = clientCertificate;
    handler.ClientCertificates.Add(certificate);
    //handler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
    handler.ClientCertificateOptions = ClientCertificateOption.Manual;
    m_httpClient = new HttpClient(handler);
    Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] Client certificate retrieved successfully from the store.");
}
else
{
    m_httpClient = new HttpClient();
    Log.WriteNamed(LogLevel.Debug, "CimWebApiClient", "[Constructor] No client certificate found in the store.");
}

m_httpClient.BaseAddress = new Uri(strCimWebApiBaseAddress);
m_httpClient.DefaultRequestHeaders.Accept.Clear();
m_httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

证书已找到，但“chainStatus.Status”有“吊销功能无法检查证书吊销。”

服务器代码：

public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        string strSettingsCsv = ConfigurationManager.AppSettings["Require HTTPS,Client cert thumbprint,Issuer,Subject"];

        WebApiHelper.GetWebApiSecuritySettings(
            strSettingsCsv,
            out bool bRequireHttps, 
            out string strClientCertThumbnail, 
            out string strClientCertIssuer,
            out string strClientCertSubject);

        if (bRequireHttps && actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
        {
            actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
            {
                ReasonPhrase = "HTTPS Required"
            };

            Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] HTTPS required, but request is not via HTTPS.");
            return;
        }

        if (strClientCertThumbnail != null && strClientCertIssuer != null && strClientCertSubject != null)
        {
            var cert = actionContext.Request.GetClientCertificate();

            if (cert == null)
            {
                actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
                {
                    ReasonPhrase = "Client Certificate not present in the HTTP request."
                };

                Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate required but not present in the HTTP request.");
                return;
            }

            if (cert.Thumbprint != strClientCertThumbnail || cert.Issuer != strClientCertIssuer || cert.Subject != strClientCertSubject)
            {
                actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
                {
                    ReasonPhrase = "Client Certificate cannot be validated."
                };

                Log.WriteNamed(LogLevel.Error, "RequireHttpsAttribute", "[OnAuthorization] Client certificate in the HTTP request cannot be validated.");
                return;
            }
        }

        base.OnAuthorization(actionContext);
    }
}

服务器总是返回 403，“HTTP 请求中不存在客户端证书”。