WireMock.Net icon indicating copy to clipboard operation
WireMock.Net copied to clipboard
Published 3 weeks ago verified publisher icon wiremock

Client certificate authentication works with .NET 8 and fails with .NET 9

Open drauch opened this issue 2 months ago • 3 comments

Describe the bug

I'm using the following server settings:

    _mockSignPathApi = WireMockServer.Start(
        new WireMockServerSettings
        {
          Port = 8888,
          ClientCertificateMode = ClientCertificateMode.AllowCertificate,
          AcceptAnyClientCertificate = true,
          UseSSL = true
        });

and use your own client_cert.pfx from your test suite as client certificate. In .NET 8 this set up works, in .NET 9 this fails (i.e, the request fails, I don't even come to the point where I could assert whether it's there).

Expected behavior:

It should work with .NET 9 too.

Other related info

Newest WireMock.NET version.

drauch avatar Oct 12 '25 08:10 drauch

Ah the culprit seems to be your client_cert.pfx (https://github.com/wiremock/WireMock.Net/blob/master/test/WireMock.Net.Tests/client_cert.pfx) in the test suite.

.NET 8:

  • new X509Certiifcate2(file, "1234") => X509Certificate2 incl. private key

.NET 9:

  • new X509Certiifcate2(file, "1234") => Access denied exception
  • X509CertificateLoader.LoadPkcs12FromFile(file, "1234") => X509Certificate2 without private key

drauch avatar Oct 12 '25 08:10 drauch

OK, by default it loads it with the flag EphemeralKeySet which doesn't work. Using the flags Exportable | UserKeySet when loading with X509CertificateLoader fixes the problem.

May it help you when migrating the project to .NET9+ :-)

Best regards, D.R.

drauch avatar Oct 12 '25 08:10 drauch

@drauch I keep this bug open as reminder.

StefH avatar Oct 12 '25 08:10 StefH