how to use self signed certificates in a winrt app for https communication with iis

Question

I am pretty new to the hole certification world and i am currently smashing my head against my winrt app to use self signed certificates with my IIS webserver over https. These are my current steps.

Create certificates: A root, server and a client certificate.

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\makecert" -r -pe -n "CN=appCA" -sr CurrentUser -a sha1 -sky signature -cy authority -sv appCA.pvk appCA.cer
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\makecert" -pe -n "CN=appServerCA" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic appCA.cer -iv appCA.pvk -sv appServerCA.pvk appServerCA.cer
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\makecert" -pe -n "CN=appclientCA" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -ic appCA.cer -iv appCA.pvk -sv appclientCA.pvk appclientCA.cer
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\pvk2pfx" -pvk appServerCA.pvk -spc appServerCA.cer -pfx appServerCA.pfx
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\pvk2pfx" -pvk appclientCA.pvk -spc appclientCA.cer -pfx appclientCA.pfx

I installed the appCA.cer in the "Trusted Root Certification Authorities" of the IIS server and imported the appServerCA.pfx with IIS. I created the https binding using the appServerCA.

On the client WINRT app i added in the appxmanifest

<!--Certificates Extension-->
<Extension Category="windows.certificates">
  <Certificates>
    <Certificate StoreName="Root" Content="appCA.cer" />
    <Certificate StoreName="My" Content="appclientCA.cer" />
    <TrustFlags ExclusiveTrust="true" />
    <SelectionCriteria AutoSelect="true" />
  </Certificates>
</Extension>

I also added a HttpClientHandler to the HttpClient

HttpClientHandler clientHandler = new HttpClientHandler();
clientHandler.ClientCertificateOptions = ClientCertificateOption.Automatic;
this.httpClient = new HttpClient(clientHandler, true);

but if i call a https url i get the following inner exception:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

Answer 1

I have no knowledge of WinRT but client needs to have appCA.cer certificate in trusted root store to trust the server. Also if you need client to authenticate using certificate, you need to use private key corresponding to client certificate in connection. In .NET there is X509Certificate2 class that can be used, don't know if there is something similar in WinRT world.