How to Create a TCP Client connection with a Client Certificate in Powershell

Question

With Following code i can establish a SSL Connection:

   $cert = dir cert:\CurrentUser\My | where {$_.Subject -like "*Alice*"}

   $computerName = "google.com"
   $port = "443"

   $socket = New-Object Net.Sockets.TcpClient($computerName, $port)
   $stream = $socket.GetStream()

   $sslStream = New-Object System.Net.Security.SslStream $stream,$false
   $sslStream.AuthenticateAsClient($computerName)


    $sslStream

This Works fine. But now i wan't to add a Client Certificate for Authentication. Think i just need to substitute

$sslStream.AuthenticateAsClient($computerName)

with

$sslStream.BeginAuthenticateAsClient($computerName,$cert,"SslProtocols",$false,"Foo" ,"Bar")

But i wasn't lucky to get the Arguments right. Can Sombody solve the Assync Calls please ;-) Maybe i need some C# code for this?!?

Arguments are:

System.IAsyncResult BeginAuthenticateAsClient(

string targetHost, 
System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, 
System.Security.Authentication.SslProtocols enabledSslProtocols,
bool checkCertificateRevocation, 
System.AsyncCallback asyncCallback, 
System.Object asyncState)

What i finally want to achieve is to list and later specify the CipherSuites the client is connected to. (I could use Wireshark i know ;-) )

Sidenote: i've read that System.Net.Security.SslStream might depend on .net FW 4 i enabled this on my testclient: reg add hklm\software\microsoft\.netframework /v OnlyUseLatestCLR /t REG_DWORD /d 1 — icnivad, Jan 26 '12 at 12:59

score 4 · Accepted Answer · answered Jan 26 '12 at 14:30

Finally got it working, wasnt argument 4 but the $Cert which was no collection.

   $cert = dir cert:\CurrentUser\My | where {$_.Subject -like "*alice*"}

   $computerName = "google.com"
   $port = "443"

    [System.Security.Authentication.SslProtocols]$protocol = "ssl3"

   $certcol = New-object System.Security.Cryptography.X509Certificates.X509CertificateCollection
   $certcol.Add($cert)




   $socket = New-Object Net.Sockets.TcpClient($computerName, $port)
   $stream = $socket.GetStream()

   $sslStream = New-Object System.Net.Security.SslStream $stream,$false
   #$sslStream.AuthenticateAsClient($computerName)
   $sslStream.AuthenticateAsClient($computerName,$certcol,$protocol,$false) 


    $sslStream

score 0 · Answer 2 · answered Jan 26 '12 at 13:04

0

According to the documentation, the difference between AuthenticateAsClient and BeginAuthenticateAsClient is that the latter is for asynchronous use.

You should try AuthenticateAsClient(String, X509CertificateCollection, SslProtocols, Boolean), where the second argument is a collection of client certificates that can be used (preferably X509Certificate2, since you'll need the private key associated with the certificate for it to be usable for authentication).

answered Jan 26 '12 at 13:04

Bruno

119,590
31
270
376

;-) I schould do my research on MSDN with .Net 4 FW i just saw: the AuthenticateAsClient(string) method. I will test. – icnivad Jan 26 '12 at 13:24
#Added: [System.Security.Authentication.SslProtocols]$protocol = "ssl3" #But my call: $sslStream.AuthenticateAsClient($computerName,$cert,$protocol,$false) Gives me back the Error: Cannot find an overload for "AuthenticateAsClient" and the argument count: "4". – icnivad Jan 26 '12 at 13:47

How to Create a TCP Client connection with a Client Certificate in Powershell

2 Answers2