WCF Transport Security Hello World Problem

I'm just trying to get a hello world WCF example running over NetTcp with x509 certificate.
I've created the 2 X Self-Certifiicate on the server (its a remote machine with static IP), one for the root, the other for the Personnel using MakeCert.exe.
I ran the httpcfg command to bind SSL to a port (8001).
I exported them to my client machine.
In the Service config I just put the BaseAddress as the same port I httpcfg'd to and in serviceBehaviours:
            <serviceCertificate findValue="f67f6d74e3160bfec56479402e3a26bf24d6gf55"
                                x509FindType="FindByThumbprint" />
The service seems to run.
In the client I put the
          <behavior name="DoesThisGoAnywhere">
              <clientCertificate  storeName="My" storeLocation="LocalMachine" findValue="Dev Certification Authority"
                                  x509FindType="FindByIssuerName" />
The error I'm getting is 'The client certificate is not provided. Specify a client certificate in ClientCredentials'
I'm trying differnet combinations of the x509findtype, thumbprint etc, but its doesn't seem to help.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Have you imported client certificate on your client machine?
Silas2Author Commented:
Sorry about delay, long Easter away from pc.
The error is:
'The X.509 certificate CN=**IP Address Of Server With Service***. The certificate that was used has a trust chain that cannot be verified "
In both service+client, I am using 'FindByThumbprint' which is definately finding them as it fails earlier if I change the thump print.
I tried to import the certificate into the client. When I look at the client Certificate store (mmc-Certificates), in  'Trusted Root Cert Auth'  I see 'Issued To' + 'Issued By'=  The text name I used in the makecert.
In the 'Personnel - Certificates' I see 'Issued To' = the IP address of the Server, and 'Issued By' = text name. Have I done this right?

Are you using a certificate for server authentication or client authentication or both?
E.g. if we want to make an HTTPS connection then we import both root and server certificates on server and bind server certificate to port. Then on client we can either import root certificate or server certificate or both or disable certificate check and we are done.
If we want to authenticate client using certificate then we need a separate one for client. I haven't dealed with this scenario yet so I can't help much with this right now.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Silas2Author Commented:
I was hoping for a 'handshake' between client/server. MakeCert on server, import into server, bind to port, export to client without private key. Import into client's cert store, Trusted Auth and Personnel, then make secure NetTcp comm.
I used the (fixed) IP address of the server for the domain for makecert, and a made up text for the Authority. It is CN-xxx.xxx.xxx.xxx which is not trusted.
For encrypted traffic you can just bind certificate to port, import root or server certificate to client for validation and set security mode to Message or Transport. You don't need client certificate.
Take a look at http://wcfsecurity.codeplex.com/Wikipage

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Silas2Author Commented:
I don't quite follow your point "...import root or server certificate to client for validation ...You don't need client certificate....", surely the client certificate is the one you import for validation isn't it? (without the private key)
As far as I understand server certificate is used for traffic encryption. And client should ensure that server certificate is valid upon connection. It's considered valid if it's found in client store or if it's signed by some valid certificate. Since our root certificate is self-signed it's validity can be proved only by importing it to client store.
Silas2Author Commented:
I've just downloaded the guide you linked to, just 660 pages! I've just started chewing through that.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.