none
Cannot find the X.509 certificate

    Question

  • Hello,

    I'm trying to use this endpoint configuration:

    <wsHttpBinding>

      <binding name="wsSecuredBinding">

        <security mode="Message">

          <message clientCredentialType="UserName" />

        </security>

      </binding>

    </wsHttpBinding>

    For the service

    <service name="WcfServiceLibrary1.Service1" behaviorConfiguration="WcfServiceLibrary1.Service1Behavior">

      ...

      <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsSecuredBinding" contract="WcfServiceLibrary1.IService1"> </endpoint>

      <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>

    </service>

     

    To do that, I need to specify a certified,

    so i created and installed a certified in according to this article:

    http://msdn2.microsoft.com/en-us/library/ms733813.aspx

     

    Then, I configured the service behaviors:

    <serviceBehaviors>

      <behavior name="WcfServiceLibrary1.Service1Behavior">

        ...

        <serviceCredentials>

          ...

          <serviceCertificate findValue="localhost" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />

        </serviceCredentials>

      </behavior>

    </serviceBehaviors>

    But when I try to start the service, I get this error:

    System.InvalidOperationException: Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'localhost'.

     

    How can I solve this problem?

     

    Thanks,

    Marco

    Sunday, January 27, 2008 4:23 PM

Answers

  • Ok, problem solved:

    I missed to add the SignedByCA certificate into the Personal certificates...

    And, to find it, findValue must be compared to "SignedByCA" and not "localhost"...

     

    Solved that, I got others exceptions... something like that the certificate was unable to export the private key, and/or the applicaton don't have the right to do that.

     

    I solved removing the certificates and creating them with:

    >makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer

    >makecert -sr LocalMachine -ss My -a sha1 -n CN=MyTestCert -sky exchange -pe -ic TempCA.cer -iv TempCA.pvk

    that automatically installs the MyTestCert certificate (but TempCA must be manually added to the root).

    (and changed the findValue with ="MyTestCert" too)

     

    and with:

    >winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyTestCert -a Everyone

    using the downloaded tool winhttpcertcfg to grant access to the certificate to everyone (this is only for tests).

     

    --------------------------------------------------------------

    But now... a new Exception:

    (this happens when the client try to call the wcf service using the proxy client)

     

    The X.509 certificate CN=MyTestCert chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.

     

    and I have no idea how to resolve that (and no useful results with google).

     

    Someone can help me?

     

    Thanks,

    Marco

    Monday, January 28, 2008 1:02 AM

All replies

  • Ok, problem solved:

    I missed to add the SignedByCA certificate into the Personal certificates...

    And, to find it, findValue must be compared to "SignedByCA" and not "localhost"...

     

    Solved that, I got others exceptions... something like that the certificate was unable to export the private key, and/or the applicaton don't have the right to do that.

     

    I solved removing the certificates and creating them with:

    >makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer

    >makecert -sr LocalMachine -ss My -a sha1 -n CN=MyTestCert -sky exchange -pe -ic TempCA.cer -iv TempCA.pvk

    that automatically installs the MyTestCert certificate (but TempCA must be manually added to the root).

    (and changed the findValue with ="MyTestCert" too)

     

    and with:

    >winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyTestCert -a Everyone

    using the downloaded tool winhttpcertcfg to grant access to the certificate to everyone (this is only for tests).

     

    --------------------------------------------------------------

    But now... a new Exception:

    (this happens when the client try to call the wcf service using the proxy client)

     

    The X.509 certificate CN=MyTestCert chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.

     

    and I have no idea how to resolve that (and no useful results with google).

     

    Someone can help me?

     

    Thanks,

    Marco

    Monday, January 28, 2008 1:02 AM
  • I find a way to disable the check revocation for the certificate:

     

    serviceClient.ClientCredentials.ServiceCertificate.Authentication.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;

     

    Now, all works Wink
    Monday, January 28, 2008 3:35 AM
  • Hi Macro,
        I am facing the same problem
    Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'localhost'.

        But I am not getting what you told....You missed to add the "SignedByCA" certificate into the Personal certificates.....

        "SignedByCA" means what?

        Here I am using a test certificate as a SSLCertificate. And I am writing it as

    <serviceCertificate findValue="localhost"

           storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />

       here "localhost" is the Subject Name of my SSLCertificate.

       I will be very much pleased to here from you.

    Monday, January 05, 2009 1:33 PM
  • Hi Sanjay

    you will need to use the actual machine name rather than localhost as the find value

    Localhost is just an alias cfor the loopback address

    Regards

    Richard Blewett
    http://www.dotnetconsult.co.uk/weblog2
    Monday, January 05, 2009 2:06 PM
    Moderator
  • Thanx Richard,

               Actually the scenario is like I am creating a demo application on Geneva CardSpace on my local machine. [I am referring Vibro.Net example for this] And if it will be successsful then we will implement it on live sites. For this I am using Certificate backed managed card. 
              I have 4 certificates in Personal store of my LocalMachine.Among these 4 certificates I am using one as my SSL Certificate [for Server Certificate] & one as client certificate [because I am testing phase.] 
            I am using same application for Service & client. [I hope it is okey....?] And the <behaviors> tag in Web.config is like this-

    <
    behaviors>
    <
    serviceBehaviors>
    <
    behavior name="MySTSBehavior">
    <
    serviceMetadata httpGetEnabled="true" />
    <
    serviceDebug includeExceptionDetailInFaults="true" />
    <
    serviceCredentials>
    <
    clientCertificate>
    <
    certificate storeLocation="LocalMachine" storeName="My"
    x509FindType="FindBySubjectName" findValue="Server2008" />
    <
    authentication revocationMode="NoCheck" trustedStoreLocation="LocalMachine" />
    </
    clientCertificate>
    <
    serviceCertificate findValue="Server2008"
    storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
    <
    peer>
    <
    certificate storeLocation="LocalMachine" />
    </
    peer>
    <
    issuedTokenAuthentication allowUntrustedRsaIssuers="true" />
    </
    serviceCredentials>
    </
    behavior>
    </
    serviceBehaviors>
    </
    behaviors>

              When I used my machine's name [Server2008] instead of SubjectName of that certificate my previous error solved thanx for that....but now new error is there saying:

    Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'Server2008'. Provide a more specific find value.

             I think that it's because of more than one certificate in Personal store of my LocalMachine. But as I am working on single machine I have to keep at least two certificates in Personal store one for server Certificate & one for Client Certificate.
            Is there I am missing something......??
            Eagerly waiting for reply.....

    Tuesday, January 06, 2009 6:11 AM
  • Hi Sanjay

    what do you see when you look in the certificate manager MMC snap in?

    You can bring this up by running MMC.exe and then adding in the certificate manager snap-in (pick local machinewhen requested). What do you see in the personal store (this is what StoreName=My maps to)

    Also - how are you creating the certificates - makecert.exe or selfssl?

    Regards

    Richard Blewett
    http://www.dotnetconsult.co.uk/weblog2
    Tuesday, January 06, 2009 7:08 AM
    Moderator
  • Hi Richard,

        When I go like this-
    Start -> mmc -> [One Console Window Appears] Console1 - > File -> Add/Remove Snap-In -> Certificate
    -> Add.
       Then below the Console Root ->  Certificates (Local Computer) -> Personal -> certificates
       I have 4 certificates here. And out of that one I am using one for Service Certificate & one want to use as client certificate.
       And regarding 2nd question....There is one web site called www.comodo.com which issues SSLCertificates for testing purposes also. As I mentioned I am creating this application for test purposes so I am using a certificate issued by them & Subject name of that certificate is 

    CN=localhost, OU=Free SSL, OU=Domain Control Validated

        I think I should tell you what I am doing & what I want from it. Basically I am creating one test application on Geneva CardSpace. For this I am using Windows Server 2008, Visual Studio 2008, .NET Framework 3.5 Service Pack 1.
       Our web sites are like anyone from internet can register to our sites....so on other thread I have asked people how should I go? They told me to go with Geneva Framework to build CustomSTS.
       Now with this I want to go with Certificate backed managed card & issue to user so that next time they can login to our site using that card. 
       That error which I was talking about has gone.... :)
       I have changed <serviceCredentials> tag & now my web.config is like this...

    <system.serviceModel>
    <
    services>
    <
    service behaviorConfiguration="MySTSBehavior" name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract">
    <
    endpoint address="http://localhost/MySTS/Service.svc" binding="customBinding" bindingConfiguration="X509Binding" contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustFeb2005SyncContract"/>
    <
    endpoint address="https://localhost/MySTS/Service.svc/Mex" binding="mexHttpsBinding" contract="IMetadataExchange"
    />
    <
    host>
    <
    baseAddresses>
    <
    add baseAddress="http://localhost/MySTS/Service.svc"/>
    </
    baseAddresses>
    </
    host>
    </
    service>
    </
    services>
    <
    bindings>
    <
    customBinding>
    <
    binding name="X509Binding">
    <
    security authenticationMode="MutualCertificate">
    <
    issuedTokenParameters>
    <
    issuer address="http://localhost/MySTS/Service.svc"/>
    <
    issuerMetadata address="https://localhost/MySTS/Service.svc/Mex"/>
    </
    issuedTokenParameters>
    <
    secureConversationBootstrap/>
    </
    security>
    <
    httpTransport/>
    </
    binding>
    </
    customBinding>
    </
    bindings>
    <
    behaviors>
    <
    serviceBehaviors>
    <
    behavior name="MySTSBehavior">
    <
    serviceMetadata httpsGetEnabled="true"
    HttpsGetUrl
    = https://localhost/MySTS/Service.svc/Mex />
    <
    serviceDebug includeExceptionDetailInFaults="true"/>
    <
    serviceCredentials>

    <
    serviceCertificate findValue=".............................."
    storeLocation="LocalMachine" storeName="My" x509FindType="FindBySerialNumber"
    />

    <
    issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>
    </
    serviceCredentials>
    </
    behavior>
    </
    serviceBehaviors>
    </
    behaviors>
    </
    system.serviceModel>

       Now with this when I go to IE & paste https://localhost/MySTS/Service.svc  then it shows me one page which says
    You have created a service.
    To test this service, you will need to.....


        Is it the indication that my service is started successfully.....?or should I do something else?

        Now in same application I have take one Default.aspx to issue managed card....it's working fine. I save these managed cards in my PC. Then I go to Default2.aspx where I have used CardTile control. I click that control to accept these cards.
        At CardTile control & attach it that card. [if we open Default2.aspx in design mode there is one arrow at CardTile. I clicked that arrow...one window appears I go to Browse....select that card. Click OK.]
       Now when I run that application & go to Default2.aspx page & clicks on CardTile control....one window "Windows Security" appears....it contains that card. I click Ok button. 
       Here what is desired that it should go to Default.aspx.cs page with the Token attributes....but it is showing me that 
    "This card cannot be used right now.Click OK to retry."
       And in Event Viewer I get
    "No valid endpoint in the metadata published by STS"
       I am not getting how to move forword.....
       Any one can help me in this......?? Can anybody tell me where I am going wrong.....?


    Regards,
    Sanjay.

     

     

    Tuesday, January 06, 2009 8:41 AM
  • Hi All,
        Solved that problem.....Thanx to Mr. Rakesh Bilaney for this......Here I am writing this b'coz it may help somebody else....
        Actually CardSpace Geneva has limitation that it will only work with mixed-mode transport bindings.
    The binding that I have configured on the IP STS is using message security (which is not supported). And this was the reason I was facing the problem.....
        So I have changed that binding like this
     
    <bindings>
                <wsHttpBinding>
                    <binding name="CertificateBinding">
                        <security mode="TransportWithMessageCredential">
                            <transport clientCredentialType="None" />
                            <message clientCredentialType="Certificate" negotiateServiceCredential="false"
                                establishSecurityContext="false" />
                        </security>
                    </binding>
                </wsHttpBinding>
            </bindings>


         And it worked for me......!!!!!!Hope it will help you.....
    :) Thanks to Mr. Rakesh Bilaney & Mr. Dominick Baier for their help.....

    Monday, January 19, 2009 7:29 AM