Invalid Client Certificate

Invalid Client Certificate


I'm trying to install client certificates for use with Portuguese citizen card, but i keep getting the message "Invalid Client Certificate", while using the built-in action "ClientCertificateGetDetails".

My Screen has SSL with Client Certificates, and i'm using that action on preparation screen.

I've set IIS to "accept client certificates" (If i put require, i get the browser message that a client certificate is required), and installed all certificates on both client and server machines...

This doesn't seem to be a common message, so i suppose it's an exception generated inside the built in....

I've set on server IIS metabase property CertCheckMode to 1, just to avoid checking crls (wich should work also, but one step at a time).

I wonder if any of you has had the same problem and might have a list of possible causes/solutions for this?

Best Regards,

Diogo C S Cordeiro
Hi Diogo

If you configure the IIS virtual directory to require SSL client certificates, and you get a popup dialog on the web browser saying that it requires the SSL CLiente certificate, then it seems that the web browser is not sending the client side SSL certificate, or is not sending a trusted client side SSL certificate. So, the problem exists prior to reaching the applications.

You need to guarantee that both the client side and server side SSL certificates are either recognized by a known authority, or the root certificate that issue them is installed in both the server and client certificate stores.

I recommend you verify the current SSL certificates configurations and installations according to the MS article

Let us know your findings.


Miguel João

Hi Miguel,

First, let me thank you for your answer. It helped me understanding a bit more about all this. My problem existed before preparation was run, as you accurately guessed.

Finally i understood what was happening... (I attach secureSite code (built with MS VS2008) to future Use)

So let me juice it  a little bit for everyone who might need it

(Note: Take a deep breath before going through this)

0 - Build a simple OS application, and on page properties HTTP security select SSL with Client Certificates or use the vs 2008 code attached and map it in IIS
1 - If you don't have a Trusted authority at your service you can create one.
2 - Install Microsoft Certificate Services (Control panel -> Add or remove programs -> Add/Remove Windows Components) and set your CA (
3 - Follow the steps below filtered from tutorial

To Create a Server-Side Certificate Request

1.On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2.Expand the node for your server, and then click Default Web Site.
3.On the Action menu, click Properties.
4.On the Directory Security tab, click Server Certificate. Follow these steps in the wizard:
5.Click Next on the first page of the wizard.
6.On the Server Certificate page, click Create a new certificate, and then click Next.
7.On the Delayed or Immediate Request page, click Prepare the request now, but send it later, and then click Next.
8.On the Name and Security Settings page, accept the default settings, and then click Next.
9.On the Organization Information page, type the name of your client organization, type whatever you want for the organizational unit, and then click Next.
10.On the Your Site's Common Name page, type localhost, and then click Next.
11.On the Geographical Information page, type your country, region, and city details, and then click Next.
12.On the Certificate Request File Name page, accept the default file name (usually c:\certreq.txt), and then click Next.
13.On the Request File Summary page, confirm that all of the details are correct, and then click Next.
14.Click Finish to close the wizard.
15.Open the certificate file that is generated, and then copy the entire contents of the certificate file to the clipboard.
18.To Submit a Server-Side Certificate Request
19.Start Internet Explorer, and then browse to the following page:
21.NOTE: The Microsoft Certificate Services must be installed.
22.Follow these steps in the wizard:
23.Click Request a Certificate, and then click Next.
24.On the Choose Request Type page, click Advanced request, and then click Next.
25.On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next.
26.On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) box, and then press the CTRL+V key combination to paste the certificate request that you copied to the clipboard earlier. Click Submit.
27.Close Internet Explorer.
30.To Issue a Server-Side Certificate
31.On the Start menu, point to Programs, point to Administrative Tools, and then click Certificate Authority.
32.Expand the node for your certificate authority, and then select Pending Requests.
33.Select the certificate request that you just submitted. On the Action menu, point to All Tasks, and then click Issue.
34.Confirm that the certificate appears in the Issued Certificates folder, and then double-click the certificate to view it.
35.On the Details tab, click Copy to File. Save the certificate as a Base-64 encoded X.509 certificate to C:\Servercert.cer.
36.Close the Properties dialog box for the certificate.
37.Close the Certificate Authority tool.
40.To Install a Server-Side Certificate
41.On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
42.Expand the node for your server, and then click Default Web Site.
43.On the Action menu, click Properties.
44.On the Directory Security tab, click Server Certificate. Follow these steps in the wizard:
45.Click Next on the first page of the wizard.
46.Click Process the Pending Request to install the certificate, and then click Next.
47.Browse to the C:\Servercert.cer certificate file that you saved previously. Click Next twice, then click Finish.
48.Click OK to close the Properties dialog box.
51.To Configure SecureSite Site for SSL and Client-Side Certificates
52.In Internet Services Manager, select the SecureSite subweb, and view its properties.
53.Follow these steps in the wizard:
54.On the Directory Security tab, click Edit in the Secure communications section.
55.Select the Require secure channel (SSL) check box. This ensures that communications to this subweb are encrypted.
56.Select the Require client certificates check box. This ensures that the site can only be viewed by users who have a client-side certificate installed.
57.Leave the check of mapping certificates empty, and hit ok.

For use with portuguese citizen card :

Download Intermediate Certificates from

At the moment i can only find the certificates :

Cartão de Cidadão 001
EC de Autenticação de Cartão de Cidadão 001
EC de Autenticação de Cartão de Cidadão 002
EC de Autenticação de Cartão de Cidadão 003

But there is one missing : ECRaizEstado wich is nothing but The root certificate (sometimes :P)!

(i will forward this to them after submiting this post)

So my problem was ignorance :

If you open your citizen card application, and hit the tab "Certificados" you will see as the root GTE Cybertrust Global Root...

Don't let yourself fool by what you see : GTE is Root, but ECRaizEstado also is.

The certificate you should download is not the one ECRaizEstado you see now, but the ECRaizEstado you see after opening any of the descendants of ECRaizEstado

This is because you will need to install the ECRaizEstado which is the root or believe me, it won't work!

Steps for this :

1. open your citizen card application
2. go to tab "Certificados"
3. double click "Cartão de Cidadão 001"
4. go to tab "Certification Path"
5. double click "ECRaizEstado"
6. go to tab "Details"
7. click the button "Copy to File"
8.Hit next and choose Base64 encryption and hit next
9. choose a name for your certificate file : ECRaizEstado.cer and save to a location you can later get it from
10. open the certificate inside your server and click button install certificate (and just hit next until finish)

You can try and follow the steps from the technical manual, but in my opinion there is some stuff related to certificate import that isn't very accurate. (

So now you need to install the other certificates you previously downloaded :

Click start -> run and write down : mmc , and hit enter.

You now need to add a snap in :

1. Hit File : Add/Remove Snap In
2. Click Add
3. Choose Certificates
4. Click Add
5. Check Computer account and hit next
6. choose Local Computer and hit finish
7. click ok

Right Click on the Intermediate Certification Authorities folder and click import.

Choose your certificates one by one (

Cartão de Cidadão 001
EC de Autenticação de Cartão de Cidadão 001
EC de Autenticação de Cartão de Cidadão 002
EC de Autenticação de Cartão de Cidadão 003


and hit next, repeating this step for each one of the certificates mentioned above.

Check if ECRaizEstado is inside the folder "Trusted Root Certification Authorities" and if it is not, repeat the above procedure to import it to this folder.

Well, now just try it out. Open a client browser, enter the url of your server and check if it works :


Or you can just try the example oml i also attach of SmartCardDemo. (for that in IIS you should alter smartcarddemo directory security properties accordingly)


Best Regards, and happy certifications ;-)

Diogo C S Cordeiro


and now attching the oml i talked about

Best regards,

Diogo C S Cordeiro
Hi Diogo

Great show! I'm glad you were able to catch this one.

Thanks for sharing in great detail how to integrate with PT citizenship cards.


Miguel João

Thank you indeed Diogo!

This is really insightfull into the process of actually getting the thing to work.
It must have been a tough road before you found out how to do it...

I had a similar issue while troubleshooting the certificates for CEGER's smartcard (

Two additional tips:
- be sure you have a middleware installed, e.g. the software for the smartcard;
- be sure that on every test you clear the SSL cache (on IE > Tools > Internet Options > Content > Clear SSL State) and restart a new browser session;

Good luck,
Here stays the link to the root  ECRaizEstado : .

Oh, and by the way, each year a new intermediate certificate is available (from 001 to 005 for now), so make sure you keep your servers up to date.

Hello everyone,

In case you come up with further troubleshooting needs, here's another tip to check if your certificate is valid:

1.       create an eSpace that outputs the result of the built-in action ClientCertificateDetails, specifically the serial number and expiration date of your client certificate;
2.       if your expiration date still hasn't been attained, it might be possible that your certificate has been revoked;
3.       under your server authority certificates, look for the URL that points to the certificate revocation list, such as:
4.       save the .crl file to your disk;
5.       install a software that extracts the revoked certificates' list (this can really be a long list!); one example is open-ssl-for-windows available at
6.       extract the certificate full details to a text file (using the example on
7.       check if your certificate serial number (from step 1.) is present on the list.