Setup: a .NET (4.6) client application connects to a remote SOAP service over HTTPS. The remote service can be configured to require a a client certificate or not.
What I am looking as an answer is any possible explanation of why scenario #2 fails ... the following 3 scenarios were all tested using exactly the same code base, only changing the certificates involved and whether or not a client certificate was required by the service.
Scenario #1 - no client certificate required
Scenario #2 - client certificate required, certificate A used
- certificate A is installed in Windows on client side (local computer store)
- certificate is valid, 2048 bits, non-wildcard, used successfully for server authentication in another unrelated service, issued by GoDaddy Secure Certificate Authority - G2
- certificate is shared with the remote party who seem to know what they are doing
- when client attempts request, handshake fails. On the client side the .NET exception is "The request was aborted: Could not create SSL/TLS secure channel.". On the server side the error is "client failed to present a certificate".
Scenario #3 - client certificate required, certificate B used
- everything is exactly the same as #2 except a different client certificate is used (B)
- certificate is valid, 2048 bits, wildcard, used successfully for server authentication in another unrelated service, issued by GeoTrust RSA CA 2018
- client connects OK
What we can see from logs is that in both scenario #2 and #3, the client and server negotiate to use TLS 1.2.
After running the above multiple times, checking everything, my only conclusion is that certificate A is somehow not compatible with the setup - either the .NET client decides not to present it, or the service cannot accept it. But what could possibly be different/missing?
