[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1671
  • Last Modified:

WCF Transport Security Hello World Problem

I'm just trying to get a hello world WCF example running over NetTcp with x509 certificate.
I've created the 2 X Self-Certifiicate on the server (its a remote machine with static IP), one for the root, the other for the Personnel using MakeCert.exe.
I ran the httpcfg command to bind SSL to a port (8001).
I exported them to my client machine.
In the Service config I just put the BaseAddress as the same port I httpcfg'd to and in serviceBehaviours:
 <serviceCredentials>
            <serviceCertificate findValue="f67f6d74e3160bfec56479402e3a26bf24d6gf55"
                                x509FindType="FindByThumbprint" />
          </serviceCredentials>
The service seems to run.
In the client I put the
 <endpointBehaviors>
          <behavior name="DoesThisGoAnywhere">
            <clientCredentials>
              <clientCertificate  storeName="My" storeLocation="LocalMachine" findValue="Dev Certification Authority"
                                  x509FindType="FindByIssuerName" />
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
The error I'm getting is 'The client certificate is not provided. Specify a client certificate in ClientCredentials'
I'm trying differnet combinations of the x509findtype, thumbprint etc, but its doesn't seem to help.



0
Silas2
Asked:
Silas2
  • 4
  • 4
1 Solution
 
Mike_MozhaevCommented:
Have you imported client certificate on your client machine?
0
 
Silas2Author Commented:
Sorry about delay, long Easter away from pc.
The error is:
'The X.509 certificate CN=**IP Address Of Server With Service***. The certificate that was used has a trust chain that cannot be verified "
In both service+client, I am using 'FindByThumbprint' which is definately finding them as it fails earlier if I change the thump print.
I tried to import the certificate into the client. When I look at the client Certificate store (mmc-Certificates), in  'Trusted Root Cert Auth'  I see 'Issued To' + 'Issued By'=  The text name I used in the makecert.
In the 'Personnel - Certificates' I see 'Issued To' = the IP address of the Server, and 'Issued By' = text name. Have I done this right?



0
 
Mike_MozhaevCommented:
Are you using a certificate for server authentication or client authentication or both?
E.g. if we want to make an HTTPS connection then we import both root and server certificates on server and bind server certificate to port. Then on client we can either import root certificate or server certificate or both or disable certificate check and we are done.
If we want to authenticate client using certificate then we need a separate one for client. I haven't dealed with this scenario yet so I can't help much with this right now.
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
Silas2Author Commented:
I was hoping for a 'handshake' between client/server. MakeCert on server, import into server, bind to port, export to client without private key. Import into client's cert store, Trusted Auth and Personnel, then make secure NetTcp comm.
I used the (fixed) IP address of the server for the domain for makecert, and a made up text for the Authority. It is CN-xxx.xxx.xxx.xxx which is not trusted.
0
 
Mike_MozhaevCommented:
For encrypted traffic you can just bind certificate to port, import root or server certificate to client for validation and set security mode to Message or Transport. You don't need client certificate.
Take a look at http://wcfsecurity.codeplex.com/Wikipage
0
 
Silas2Author Commented:
I don't quite follow your point "...import root or server certificate to client for validation ...You don't need client certificate....", surely the client certificate is the one you import for validation isn't it? (without the private key)
0
 
Mike_MozhaevCommented:
As far as I understand server certificate is used for traffic encryption. And client should ensure that server certificate is valid upon connection. It's considered valid if it's found in client store or if it's signed by some valid certificate. Since our root certificate is self-signed it's validity can be proved only by importing it to client store.
0
 
Silas2Author Commented:
I've just downloaded the guide you linked to, just 660 pages! I've just started chewing through that.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now