[API Proposal]: Support Passing Full Certificate Chain with HttpClientHandler.ClientCertificates #110867
Labels
api-suggestion
Early API idea and discussion, it is NOT ready for implementation
area-System.Net.Security
untriaged
New issue has not been triaged by the area owner
Background and motivation
Background
Currently, it's not possible to explicitly pass a client certificate with its full chain to
HttpClientHandler
, even though mTLS clients are expected to send the full chain.The full chain will be sent with .NET today, however it relies on the following external sources to retrieve the CA certificates:
X509Store
(StoreName.CertificateAuthority
).While this approach works in many cases, it can lead to challenges in specific scenarios:
X509Store
limits user control. In cases with multiple possible chains (e.g., cross-signing scenarios), the system might select an unintended chain.Request
We propose adding an API to explicitly pass the full certificate chain alongside the client certificate in
HttpClientHandler.ClientCertificates
. This would eliminate the need for automatic downloads or storing certificates in theX509Store
beforehand. Users would retain full control over the certificate chain and ensure it aligns with their specific requirements.Current Limitations
The
HttpClientHandler.ClientCertificates
API does not currently allow the explicit inclusion of the full certificate chain. As noted in the discussion quoted below, this would require introducing a new API to support this functionality:Originally posted by @karelz in #47680
Benefits of the Proposed API
HttpClientHandler.ClientCertificates
where one might expect that a chain can be supplied.API Proposal
API Usage
Alternative Designs
It might make sense to introduce a way to influence whether the system store should be consulted or not, either via an extension to the
ClientCertificateOptions
enum or a dedicated property.Risks
No response
The text was updated successfully, but these errors were encountered: