Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS RolesAnywhere - "Unable to form certificate ID from input certificate" error in C# (.NET Framework), but works with aws_signing_helper

0

I’m trying to authenticate to AWS using RolesAnywhere from a C# .NET Framework web application via client certificate. However, I keep getting the error: {"message":"Unable to form certificate ID from input certificate."} Below is my code snippet:

var (clientCert, chainCerts) = LoadCertificateWithPrivateKeyAndChain(certificatePath, privateKeyPath, chainPath);

var handler = new HttpClientHandler { ClientCertificateOptions = ClientCertificateOption.Manual, SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 };

handler.ClientCertificates.Add(clientCert); foreach (var chainCert in chainCerts) { handler.ClientCertificates.Add(chainCert); }

using var client = new HttpClient(handler); var request = new HttpRequestMessage(HttpMethod.Post, rolesAnywhereEndpoint); request.Content = new StringContent(jsonBody, Encoding.UTF8, "application/json"); request.Headers.Add("X-Amz-Target", "RolesAnywhereCredentialManagementService.CreateSession");

var response = await client.SendAsync(request);

The Response is always: 400 Bad Request {"message":"Unable to form certificate ID from input certificate."}

Can someone please let me know if I'm missing anything in how the certificate is handled in .NetFramework?

Topics
.NET on AWS
Tags
.NET on AWS
Language
English
asked 10 months ago204 views
1 Answer
0

The error "Unable to form certificate ID from input certificate" suggests that IAM Roles Anywhere is unable to properly identify or validate the certificate you're providing. This is likely because you're not following the required authentication process for IAM Roles Anywhere, which uses AWS Signature Version 4 with X.509 certificates (AWS4-X509-RSA-SHA256).

When authenticating with IAM Roles Anywhere, you need to:

  1. Include the X.509 certificate in the request headers as a base64-encoded value in the X-Amz-X509 header
  2. Create a proper signature using the AWS4-X509-RSA-SHA256 algorithm
  3. Include the certificate's serial number in the credential scope
  4. Add the proper Authorization header with all required components

Your current code is simply adding the certificate to the HTTP client's certificate collection, which is used for TLS client authentication. However, IAM Roles Anywhere requires the certificate to be explicitly included in the request headers and used for signing the request.

Here's what you need to include in your request:

  • X-Amz-Date header with the current timestamp in ISO8601 format
  • X-Amz-X509 header with the base64-encoded certificate
  • Authorization header with the proper signature components

The Authorization header should follow this format:

AWS4-X509-RSA-SHA256 Credential={Certificate_serial_number}/{date}/{region}/rolesanywhere/aws4_request, SignedHeaders={signed_headers}, Signature={signature}

Instead of implementing this complex signing process yourself, you might consider using the aws_signing_helper tool through a process call in your C# application. The aws_signing_helper is specifically designed to handle the credential process for IAM Roles Anywhere and returns credentials in a standard JSON format.

Alternatively, if you need to implement it in C#, you'll need to follow the complete AWS Signature Version 4 signing process with X.509 certificates, including creating a canonical request, creating a string to sign, calculating the signature using your private key, and constructing the proper Authorization header.
Sources
Using SPIFFE and X.509-SVID with Amazon VPC Lattice for authentication and authorization | AWS re:Post
Planning for your IAM Roles Anywhere deployment | AWS Security Blog
How to authenticate with AWS IAM Roles Anywhere in C# | AWS re:Post

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content