How to connect to a secure ArcGIS Server using HTTPS and a PKI (X509) Certificate

Discussion created by epaitz-esristaff Employee on Apr 12, 2012
All of our ArcGIS Servers must be secured using HTTPS and an X509/PKI certificate. The IE and Firefox browsers know how to transmit the certificate to the server when it�??s requested, thus we were able to secure our server in this way and deploy our application using Flex. Now we are looking into writing a WPF application using the new ArcGIS WPF Runtime. If I create a simple WPF application that has a map and one ArcGISDynamicMapServiceLayer, where that layer's URL is set to HTTPS on a server that requires a X509 certificate to be sent, I get an error that it could not create the SSL/TSL connection. Makes sense to me because this simple WPF client application did not send the server the certificate.

I was able to get the X509 Certificate with the following code.

X509Store pX509Store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
X509Certificate2 pX509Certificate2 = X509Certifiate2UI.SelectFromCollection(pX509Store.Certificate, "Title", "Message", X509SelectionFlag.SingleSelection)[0];

Then this is the code to create a map and add a map service layer.

ESRI.ArcGIS.Client.ArcGISTiledMapServiceLayer = pArcGISTiledMapServiceLayer = new ESRI.ArcGIS.Client.ArcGISTiledMapServiceLayer();
pArcGISTiledMapServiceLayer.Url = https://server.com/arcgis/rest/services/Imagery/MapServer;

ESRI.ArcGIS.Client.Map map = new ESRI.ArcGIS.Client.Map();


So now the problem is what to do with the X509Certificate? The ArcGISTiledMapServiceLayer has a Credentials Property that wants something that implements System.Net.ICredentials.

pArcGISTiledMapServiceLayer.Credentials = ????

I know the .NET HttpWebRequest Object has a CllientCertificate method so it can make the connection but I do not see how to do this with the Map and an ArcGISDynamicMapServiceLayer. So right now I am trying to understand how to get something that Implements ICredentials from an X509Certificate or from some other way...if that is even possible. I cannot find anything in our documentation that mentions X509/PKI. I do not think the ICredential Interface and the X509Certiicate Class have anything to do with each other.

Does anyone know if it�??s possible to connect to a server that requires the client application to transmit the X509 certificate when the server is requesting it?