IIS Express Client Certificates

We recently had to investigate how to CAC-enable a web application, one of the challenges was setting up a proper development environment to prototype & test code changes before deploying to other environments.

STEP 1 - You need to have a client certificate installed on your development machine. Assuming you don't have a readily available CAC or Smart Card, you can either create a self-signed certificate OR for this example we just used a corporate outlook email client certificate (used to sign & encrypt emails). 

Note: The certificate should be available in your web browser. For IE go to Internet Options > Content > Certificates to view all your certificates. In Chrome, go to Settings > Show advanced settings > HTTPS/SSL > Manage certificates.

STEP 2 - Using Visual Studio, create a default ASP.NET MVC 5 web application.

STEP 3 - Enable SSL for your project. In Visual Studio, hit F4 to open Project Properties and set  SSL Enabled  to  TRUE 

STEP 4 - Set your project to start in SSL mode. In Visual Studio, hit Alt + Enter to go to Project Properties then select the Web tab and modify the  Project Url  property to your local SSL Url e.g.  https://localhost:44300 .

Note: You can retrieve the Url from STEP 3, under SSL Enabled there's an  SSL Url  value.

STEP 5 - Modify the IIS Express configuration file applicationhost.config.

Locate the applicationhost.config configuration file:
- If you're using Visual Studio 2015 it's going to be under [solution directory]\.vs\config\ (if you don't have a solution folder, look at the parent folder for a .vs folder). 
- For earlier versions, it's going to be under C:\Users\[username]\Documents\IISExpress\config\.

Set <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />

Set <iisClientCertificateMappingAuthentication enabled="true"></iisClientCertificateMappingAuthentication>

Note: Stop Visual Studio debugging and shutdown IIS Express so the changes are applied, in the lower task bar right-click the IIS Express icon and hit Exit then select Yes.

STEP 6 - Add Code to retrieve the Client Certificate data.

In the default ASP.NET MVC HomeController, add the HttpClientCertificate object to retrieve the certificate info then you have access to all its properties e.g. .Subject.

    public class HomeController : Controller
        public ActionResult Index()
            HttpClientCertificate cs = Request.ClientCertificate;
            var subject = cs.Subject;
            return View();

STEP 7 - Finally in Visual Studio, add a breakpoint in your HomeController Index action to view the .Subject property then hit F5 to debug your solution. The first time you start the solution, your browser will typically ask you to select a certificate. Once selected, it will then hit your breakpoint and .Subject should have a value e.g. "C=US, S=...". If it's empty then go back to the previous steps and check if you missed anything, also check if your browser has the client certificate (see STEP 1).

Hope this helps!

[original publish date: 02/18/16]


  1. post is 4 years old, but works perfectly

    1. It doesn't work. can you post completed code? Thanks


Post a Comment

Popular posts from this blog

ASP.NET Identity Remember Me

ASP.NET MVC - How to enable/disable CaC/Client Certificate authentication per area or route.