iis reverse proxy client certificate support from windows certificates store

Question

iis reverse proxy client certificate support from windows certificates store

GP 20

Why there is no support for windows certificate store in internet information services reverse proxy ARR?

It can only work with a PFX file, I need to work with client certificate installed in windows store, how do i archive this?

Thanks.

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Tom Tran (WICLOUD CORPORATION) 4,860 Microsoft External Staff Moderator

Hi @GP ,

Thanks for reaching out!

I believe this is a limitation of IIS Application Request Routing (ARR).

From my understanding, ARR does not support selecting or loading a client certificate from the Windows Certificate Store when proxying requests to a backend over HTTPS.

When ARR is configured to use a client certificate, it only allows specifying a certificate file path and password, which means it can only use file-based certificates that include the private key (for example, a PFX file).

Because of this, ARR cannot use certificates that must remain in the Windows Certificate Store or certificates with non-exportable private keys.

Perhaps you could try these suggestions:

Export the certificate (with private key) to a PFX file and configure ARR to use it.
Use a different reverse proxy that supports loading client certificates from the Windows Certificate Store.
Terminate mutual TLS before ARR (for example, at a gateway or load balancer) and forward requests to ARR over standard HTTPS.

I also found a post regarding this issue, maybe you could find some useful information in it:

https://stackoverflow.com/questions/22791133/iis-proxy-using-arr-to-provide-client-certificate-over-ssl

Disclaimer: This is a non-Microsoft website. The page appears to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classifies as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

Hope this helps!

Tom Tran (WICLOUD CORPORATION) 4,860 Reputation points Microsoft External Staff Moderator

2026-01-19T03:49:30.1733333+00:00

Hi @GP ,

I'm just checking in to see if you still have any questions, please feel free to comment. I'll be happy to help!
GP 20 Reputation points

2026-02-15T09:47:35.47+00:00

Hi. Tom.

Thank you for your answer, I have another question:

what is this clientcerthash setting used for in arr ?
Tom Tran (WICLOUD CORPORATION) 4,860 Reputation points Microsoft External Staff Moderator

2026-02-16T03:41:32.2466667+00:00
Hi @GP ,

Thanks for the follow up question!

From what I found, in ARR you’ll see a few related settings under a server farm’s protocol configuration:

clientCertFileName: points at a PFX file that contains the certificate plus its private key.

clientCertPassword: the password to open that PFX file.

clientCertHash: the thumbprint (hash) of a certificate in the machine certificate store. The ARR tech community blog shows this as an alternate way to reference a cert by its thumbprint instead of a PFX file path.

So at a high level, the intent of clientCertHash is:

“Instead of specifying a PFX file, you can reference a certificate in the machine store by its thumbprint.”

For better details, you could check out this post:

https://techcommunity.microsoft.com/blog/iis-support-blog/arr-authenticating-itself-to-backend-with-client-certificate-on-re-routing-reque/1343206

Disclaimer: This is a non-Microsoft website. The page appears to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classifies as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

Despite the field existing and the blog showing how it could work, ARR does not actually support using a private key directly from the Windows Certificate Store for backend TLS client authentication in the way people normally expect.

In real use:

Even though clientCertHash exists, ARR still needs access to the private key when doing mutual TLS to a backend.

In practice, ARR only succeeds when the certificate + key are provided as a PFX.

Setting just the thumbprint doesn’t let ARR use a store certificate that has a non‑exportable key, which is why backend TLS auth fails in real configurations.

Hope this helps! If you find my answer useful so far, please kindly consider marking it by following this guidance. Thank you!

Share via

iis reverse proxy client certificate support from windows certificates store

0 additional answers

Your answer