We are building a gateway that will take requests from companies for information and then forward the requests onto the selected service providers that hold that information.
EG
Company A ---HTTPS request---> Our Proxy ---> Service Provider A
Company A ---HTTPS request---> Our Proxy ---> Service Provider B.
One of the service providers has mandated that the requesting companies use client certificates issued by them.
This means we must pass on the client certificate without ever having it installed on our server, or knowing the private key.
Currently we are testing with a dummy c# client, emulating the requesting company, and we can receive the client certificate into our proxy via
var clientCertificate = Request.HttpContext.Connection.ClientCertificate;
using kestrel and asp.net Core 1.0
However we then need to send on the client certificate to the service provider using a web request Eg
var req = (HttpWebRequest)WebRequest.Create(uri);
req.ClientCertificates.Add(clientCertificate);
We notice that the client cert obtained by the proxy server does not have a private key. Which is expected given its a private key.
We could not get our test c# client, that emulates the requesting company to our proxy, to send a client certificate, unless the test client had the private key available.
This leads us to think it is not possible to proxy a request with a client certificate without knowing the private key.
Unfortunately we do not have the Service provider interface available to test against, as it is currently being built.
Q1 Will c# send a client certificate with a web request if you do not have the private key available?
Q2 Would the remote server accept the certificate without a private key, or does the remote server require the requesting host ( our proxy in this instance) have the private key, in order to perform SSL handshake and authenticate the client certificate?
We are trying to determine if the scenario described above will work without the proxy knowing the private key.
If that were possible, that would defy the purpose of client certificates, as anyone could intercept and use them to their own benefit, pretending that they are the actual assignee. In other words, you are trying to be a middleman in a scheme that is designed to eliminate middlemen in the first place.