Wcf Error "The certificate 'CN= MyCert' must have a private key. The process must have access rights for the private key."
-
Friday, March 09, 2012 1:36 AM
I have a WCF service that is hosted in IIS and there is a SSL certificate installed on the server. For testing I have created a simple application to consume this service. I have created a client certificate using the MakeCert.exe utility and installed it in my "Personal" certificates on the client machine and also on the server under the "Trusted People" certificate. When my client app calls one of the methods on my service I get the following error:
"The certificate 'CN= ' must have a private key. The process must have access rights for the private key."
I'm not sure what this means. the commands I used to create the certificate are:
makecert -n "CN=MyRootCA" -r -sv RootCA.pvk RootCA.cer
makecert -pe -n "CN=MyCert" -ss my -sky exchange -sk MyCert -iv RootCA.pvk -ic RootCA.cer -sr localmachine MyCert.cerand here are my config files:
(Service web.config)<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WsBinding_IGatewayService"
maxReceivedMessageSize="2147483647"
openTimeout="00:25:00"
closeTimeout="00:25:00"
sendTimeout="00:25:00"
receiveTimeout="00:25:00">
<readerQuotas maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxDepth="2147483647"
maxNameTableCharCount="2147483647"
maxStringContentLength="2147483647"/>
<!-- use this when you have a certificate on the server-->
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
<basicHttpBinding>
<binding name="BasicBinding_IGatewayService"
maxReceivedMessageSize="2147483647"
openTimeout="00:25:00"
closeTimeout="00:25:00"
sendTimeout="00:25:00"
receiveTimeout="00:25:00">
<readerQuotas maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxDepth="2147483647"
maxNameTableCharCount="2147483647"
maxStringContentLength="2147483647"/>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="nacr.Services.Integration.TelAgentDataGateway.GatewayService">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="WsBinding_IGatewayService"
name="GatewayServiceEndpoint"
contract="nacr.Services.Integration.TelAgentDataGateway.IGatewayService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
<!-- use this serviceCredentials block when the service is being call by a client using a certificate-->
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" />
</clientCertificate>
<serviceCertificate findValue="MyCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>(Application app.config)
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="GatewayServiceEndpoint" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Certificate" />
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://ww2.telagententerprise.com/NACRDataGateway/GatewayService.svc"
binding="wsHttpBinding" bindingConfiguration="GatewayServiceEndpoint" behaviorConfiguration="clientEndpointCredential"
contract="GatewayServiceReference.IGatewayService" name="GatewayServiceEndpoint">
<identity>
<servicePrincipalName value="host/telagentweb01.TelAgent.nacr.com" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<!-- use this behavior to connect to the service using a certifiacate-->
<behavior name="clientEndpointCredential">
<clientCredentials>
<clientCertificate storeName="My" storeLocation="CurrentUser" x509FindType="FindBySubjectName" findValue="MyCert" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>Any help is appreciated. thanks.
All Replies
-
Friday, March 09, 2012 9:45 AM
Have you made sure that you have installed the certificate on the client machine using the .pfx file ?
On the server you need to use .cer file to install the client certificate to the trusted people store.
Rajesh S V
-
Friday, March 09, 2012 8:50 PM
The was actually a couple of problems with what I was doing. I found this link that helped me with properly creating & installing the certificates on the server & client machine.
http://msdn.microsoft.com/en-us/library/ff650751.aspx
Masoud
- Marked As Answer by Masoud.Sharifi Friday, March 09, 2012 8:50 PM
- Edited by Masoud.Sharifi Friday, March 09, 2012 9:20 PM
- Unmarked As Answer by Masoud.Sharifi Friday, March 09, 2012 9:20 PM
- Marked As Answer by Masoud.Sharifi Friday, March 09, 2012 9:21 PM
