Unable to send multiple certificates in request using .net core 3.1 within HttpClientHandler

[jaden-patel]

Description

The code below is only sending 1 certificate even though it loops through 4 certificates and finds 4 certificates

 var handler = new HttpClientHandler();

handler.ClientCertificateOptions = ClientCertificateOption.Manual;

X509Certificate2Collection certColection = new X509Certificate2Collection();
certColection.Import(clientCertPath);

foreach (X509Certificate2 cert in certColection)
{
    handler.ClientCertificates.Add(cert);
    Log.Information($"Added certificate:");
    Log.Information($"Subject: {cert.Subject}");
    Log.Information($"Issuer: {cert.Issuer}");
    Log.Information($"Thumbprint: {cert.Thumbprint}");
}

Log.Information($"Number of client certificates found in handler: {handler.ClientCertificates.Count}");

using (var httpClient = new HttpClient(handler))
{
    using (var request = new HttpRequestMessage(new HttpMethod("POST"), apiEndPoint))
    {
        request.Headers.TryAddWithoutValidation("accept", "application/json");
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", bearerToken);

        request.Content = new StringContent(JsonConvert.SerializeObject(input), Encoding.UTF8, "application/json");
        request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse("application/json");

        return await httpClient.SendAsync(request);
    }
}

Reproduction Steps

Follow code above

Expected behavior

Expect the code to send multiple certificates

Actual behavior

Sending 1 certificate

Regression?

No response

Known Workarounds

No response

Configuration

.net core 3.1
Windows

Other information

No response

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

The code below is only sending 1 certificate even though it loops through 4 certificates and finds 4 certificates

 var handler = new HttpClientHandler();

                handler.ClientCertificateOptions = ClientCertificateOption.Manual;

                X509Certificate2Collection certColection = new X509Certificate2Collection();
                certColection.Import(clientCertPath);

                foreach (X509Certificate2 cert in certColection)
                {
                    handler.ClientCertificates.Add(cert);
                    Log.Information($"Added certificate:");
                    Log.Information($"Subject: {cert.Subject}");
                    Log.Information($"Issuer: {cert.Issuer}");
                    Log.Information($"Thumbprint: {cert.Thumbprint}");
                }

                Log.Information($"Number of client certificates found in handler: {handler.ClientCertificates.Count}");

                using (var httpClient = new HttpClient(handler))
                {
                    using (var request = new HttpRequestMessage(new HttpMethod("POST"), apiEndPoint))
                    {
                        request.Headers.TryAddWithoutValidation("accept", "application/json");
                        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", bearerToken);

                        request.Content = new StringContent(JsonConvert.SerializeObject(input), Encoding.UTF8, "application/json");
                        request.Content.Headers.ContentType = MediaTypeHeaderValue.Parse("application/json");

                        return await httpClient.SendAsync(request);
                    }
                }

Reproduction Steps

Follow code above

Expected behavior

Expect the code to send multiple certificates

Actual behavior

Sending 1 certificate

Regression?

No response

Known Workarounds

No response

Configuration

.net core 3.1
Windows

Other information

No response

Author:	jaden-patel
Assignees:	-
Labels:	area-System.Net.Http, untriaged
Milestone:	-

[rzikm]

Why do you expect the code to send multiple certificates?

The underlying SslStream selects one at most one certificate (based on whether client cert is required and on the acceptable issuers specified by the server) and will use that one for the connection. That is how SSL/TLS works.

Even though the client may also send other certificates to form a chain from the selected chain to some root trusted certificate (for verification purposes), these generally are not the ones in the client certificate collection.

[jaden-patel]

The request URL expects multiple certificates in order to be able to send a POST request

[jaden-patel]

Our PFX contains multiple certificates, when we run this manually with a curl command it works

[wfurt]

I think this is dup of #26323. There is only one certificate with private key but there are intermediate CA certificates, right @jaden-patel?

[jaden-patel]

Hello @wfurt, yes it is! However we have a requirement to use .net core 3.1 - any way round this issue using .net core 3.1?

[rzikm]

The workaround would be adding the intermediate certificates to the windows cert store, this comment (#55368 (comment)) shows how it can be done programmatically. This needs to happen only once on the machine (or until the certificates change).

It can also be done by double-clicking the .pfx file in Windows Explorer. Note that you need to select the "Intermediate Certificate Authorities" store in the dialog.

[wfurt]

I don't know anything else for 3.1 besides what @rzikm recommended @jaden-patel.
For 7.0 I would like to add some API so the chain can be set explicitly. The ClientCertificates was never meant for the intermediate certificates. It is just collection of leaf certificates (with private keys) the client can choose from.

[karelz]

Duplicate of #26323