Client certificate authentication works with .NET 8 and fails with .NET 9 #719

New Issue

adam · 2025-12-29T08:32:56+01:00

adam commented

2025-12-29 08:32:56 +01:00

Originally created by @drauch on GitHub (Oct 12, 2025).

Describe the bug

I'm using the following server settings:

    _mockSignPathApi = WireMockServer.Start(
        new WireMockServerSettings
        {
          Port = 8888,
          ClientCertificateMode = ClientCertificateMode.AllowCertificate,
          AcceptAnyClientCertificate = true,
          UseSSL = true
        });

and use your own client_cert.pfx from your test suite as client certificate. In .NET 8 this set up works, in .NET 9 this fails (i.e, the request fails, I don't even come to the point where I could assert whether it's there).

Expected behavior:

It should work with .NET 9 too.

Newest WireMock.NET version.

Originally created by @drauch on GitHub (Oct 12, 2025). ### Describe the bug I'm using the following server settings: ``` _mockSignPathApi = WireMockServer.Start( new WireMockServerSettings { Port = 8888, ClientCertificateMode = ClientCertificateMode.AllowCertificate, AcceptAnyClientCertificate = true, UseSSL = true }); ``` and use your own client_cert.pfx from your test suite as client certificate. In .NET 8 this set up works, in .NET 9 this fails (i.e, the request fails, I don't even come to the point where I could assert whether it's there). ### Expected behavior: It should work with .NET 9 too. ### Other related info Newest WireMock.NET version.

adam added the bug label 2025-12-29 08:32:56 +01:00

adam commented

2025-12-29 08:32:56 +01:00

@drauch commented on GitHub (Oct 12, 2025):

Ah the culprit seems to be your client_cert.pfx (https://github.com/wiremock/WireMock.Net/blob/master/test/WireMock.Net.Tests/client_cert.pfx) in the test suite.

.NET 8:

new X509Certiifcate2(file, "1234") => X509Certificate2 incl. private key

.NET 9:

new X509Certiifcate2(file, "1234") => Access denied exception
X509CertificateLoader.LoadPkcs12FromFile(file, "1234") => X509Certificate2 without private key

@drauch commented on GitHub (Oct 12, 2025): Ah the culprit seems to be your client_cert.pfx (https://github.com/wiremock/WireMock.Net/blob/master/test/WireMock.Net.Tests/client_cert.pfx) in the test suite. .NET 8: * new X509Certiifcate2(file, "1234") => X509Certificate2 incl. private key .NET 9: * new X509Certiifcate2(file, "1234") => Access denied exception * X509CertificateLoader.LoadPkcs12FromFile(file, "1234") => X509Certificate2 without private key

adam commented

2025-12-29 08:32:56 +01:00

@drauch commented on GitHub (Oct 12, 2025):

OK, by default it loads it with the flag EphemeralKeySet which doesn't work.
Using the flags Exportable | UserKeySet when loading with X509CertificateLoader fixes the problem.

May it help you when migrating the project to .NET9+ :-)

Best regards,
D.R.

@drauch commented on GitHub (Oct 12, 2025): OK, by default it loads it with the flag `EphemeralKeySet` which doesn't work. Using the flags `Exportable | UserKeySet` when loading with `X509CertificateLoader` fixes the problem. May it help you when migrating the project to .NET9+ :-) Best regards, D.R.

adam commented

2025-12-29 08:32:57 +01:00

@StefH commented on GitHub (Oct 12, 2025):

@drauch
I keep this bug open as reminder.

@StefH commented on GitHub (Oct 12, 2025): @drauch I keep this bug open as reminder.

Sign in to join this conversation.

Branches Tags

master

mime-part-matcher

version-2.x

MappingSerializer

1341-mapping-json

stef-aspire-tests-updates

bug/973-TinyMapper

bug/1149-AppendGuidToSavedMappingFile

feature/1150-DockerImageVersion

61

stef-1108

stef-1097

stef-1083-MessageOptions_Type_Conflict

stef-1062-logger

stef-IgnoreOpenApiErrors

stef-928-TypeLoadException-FluentAssertions-net472

nunit

stef-849

stef-847-regex-questionmark

http_verb

WireMockServerContext

webapp

ai

CommandLineArgumentsParser

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/WireMock.Net#719