Mutual SSL + + IIS7

2011, May 09    

This was very, very, VERY nasty. Took me 1 entire week (even with the support of our ITs).

As usual, at the end we discovered it wasn’t that hard anyway…. from an IT point of view, all you have to do is:

  1. Get an SSL certificate with client/server extended usage
  2. Install it on IIS7 on your website
  3. Give the access to the certificate to the current website AppPool user using winhttpcertcfg : winhttpcertcfg.exe -g -c LOCAL_MACHINEMY -s “[MY_CERTIFICATE_CN]” -a “[APP_POOL_USER]”

From a developer point of view instead, you just create a normal webservice, then load the certificate from the X509Store and add it to the ClientCertificates collection on the webserver proxy.

This is part of the code I use to get the certificate from the store:

public static X509Certificate2 LoadCertificateFromStore(string commonName)<br /> {<br /> X509Certificate2 retVal = null;<br /> var store = new X509Store(StoreLocation.LocalMachine);<br /> store.Open(OpenFlags.ReadOnly);<br /> var certColl = store.Certificates.Find(X509FindType.FindBySubjectName, commonName, true);

if (null != certColl && 0 != certColl.Count)
retVal = certColl[0];
if(null == retVal)
foreach (var cert in store.Certificates)
if (cert.Subject.ToLower().Contains(commonName))
retVal = cert;
return retVal;

Did you like this post? Then