asp.netasp.net-coresslkestrel-http-server

Certificate validation failed, subject was CN=PC1.contoso.com. NotSignatureValid The signature of the certificate cannot be verified


I am writing an application in asp.net (.Net 8) with an API interface that uses certificate authentication. The authentication works fine when I use a self-signed certificate or even a PKI one in my test environment. However, when I try to call from a production client the kestrel dev server, which is my domain test environment, I hit the OnAuthenticationFailed:

Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler[2]
      Certificate validation failed, subject was CN=PC1.contoso.com. NotSignatureValid The signature of the certificate cannot be verified.
Microsoft.AspNetCore.Authentication.Certificate.CertificateAuthenticationHandler: Warning: Certificate validation failed, subject was CN=PC1.contoso.com. NotSignatureValid The signature of the certificate cannot be verified.

My code looks like this:

.AddCertificate(CertificateAuthenticationDefaults.AuthenticationScheme, options =>
    {
        options.RevocationMode = X509RevocationMode.NoCheck;
        options.AllowedCertificateTypes = CertificateTypes.All;
        var cer = builder.Configuration.GetSection("Certificate").GetSection("Root").GetValue<string>("TrustStore");
        var cer_int = "Resource\\Sub CA.cer";
        var cer_root = "Resource\\Root CA.cer";
        //options.CustomTrustStore.AddRange(new X509Certificate2Collection {new X509Certificate2(Path.Combine(cer_root))});
        options.CustomTrustStore.Add(new X509Certificate2(Path.Combine(cer_root)));
        options.CustomTrustStore.Add(new X509Certificate2(Path.Combine(cer_int)));
        options.ChainTrustValidationMode = X509ChainTrustMode.CustomRootTrust;

As you can, I tried to add now my productive root and intermediate cert as CustomTrustStore. I even added these certificates to my local certification store.

In the end the App will run as Azure Web App, that why I am testing with kestrel because I don't know how to debug it in Azure. But the client reaction is similar between kestrel and Azure. My kestrel information is that:

builder.Services.Configure<KestrelServerOptions>(options =>
    {
        options.ConfigureHttpsDefaults(options =>
        {
            options.AllowAnyClientCertificate();
            options.CheckCertificateRevocation = false;
            options.ClientCertificateMode = ClientCertificateMode.DelayCertificate;
            
        });
    });

Has anyone an idea why it is rejecting the cert? I found a similar entry on github: https://github.com/dotnet/aspnetcore/issues/48099 but this was about the CustomRootTrust.

Thanks

Stephan


Solution

  • My bad. The code is correct. However, we renewed our root and intermediate certificate that of course had the same name but was different. So adding the correct intermediate cert it worked. You could also see that when you open the cert in windows it showed the error: The certificate has an invalid digital signature