I have an IIS extension for BITS with upload enabled on the server (Win2008) and a C# .NET4 client running as a windows service on the client machine (Win8.1)
The BITS upload without the certificate auth is working fine.
I have generated a self-signed root cert, added it to TrustedCA storage on both machines, generated child client and server certs, added them to the respective storages. Both are displayed as valid and trusted in the MMC console.
However, when I try to use client cert authentication (setting "Require client certificate" in the IIS and adding the certificate to the BITS job on the client), the client certificate does not seem to be received by IIS.
The code I'm using to set the cert on client is:
var httpOptions = (IBackgroundCopyJobHttpOptions) job2;
httpOptions.SetClientCertificateByName(certificate.certLocation, certificate.certStoreName, certificate.certSubjectName);
The certLocation is
BG_CERT_STORE_LOCATION.BG_CERT_STORE_LOCATION_LOCAL_MACHINE
since the client certificate is installed into LocalMachine and the service is running as LocalSystem.
Additionally, right after I have called SetClientCertificateByName, I try to get it back:
string stName, stLocation;
var hash = new IntPtr();
httpOptions.GetClientCertificate(out loc, out stName, hash, out stLocation)
But it returns empty values.
I have tried to check the certificate presence via:
var store = new X509Store(certificate.certStoreName, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectName, certificate.certSubjectName, true)
and the certificate is indeed there.
I have also tried using WinHttpCertCfg.exe (no errors, but nothing changed) and FindPrivateKey.exe (says "Unable to obtain private key file name") to grant the access to the cert's private key to the LocalSystem account.
I'm out of ideas on this one. Any insight would be very appreciated.
