none
SVCUTIL SSL Could not establish trust relationship

    Question

  • I am trying to generate a proxy for a service that is using SSL for transport security.  The problem is that the certificate is not signed.  Is there anyway to tell SVCUTIL to ignore any certificate errors?

    This is the error I am receiving.  I can view the Service Endpoint only after IE throws security warnings at me.

     

    Thanks

     

    Attempting to download metadata from 'https://localhost:4443/' using WS-Metadata
     Exchange or DISCO.
    Error: Cannot obtain Metadata from https://localhost:4443/

    WS-MetadataExchange Error
        Uri: https://localhost:4443/
        Metadata contains a reference that cannot be resolved: 'https://localhost:44
    43/'.
        Could not establish trust relationship for the SSL/TLS secure channel with a
    uthority 'localhost:4443'.
        The underlying connection was closed: Could not establish trust relationship
     for the SSL/TLS secure channel.
        The remote certificate is invalid according to the validation procedure.

    HTTP GET Error
        Uri: https://localhost:4443/
        There was an error downloading 'https://localhost:4443/'.
        The underlying connection was closed: Could not establish trust relationship
     for the SSL/TLS secure channel.
        The remote certificate is invalid according to the validation procedure.
    If you would like more help, type "svcutil /?"

     

    Tuesday, May 30, 2006 9:46 PM

Answers

  • SSL transport security is handled down at a pretty low level.  There's nothing you svcutil you can do to turn off the certification path.  Message level security is a different story.  You can modify how you want to handle cert validation, but not at the transport layer.

    Also, you need to verify that the cert you're using is actually called localhost if that's what you're endpoint is called.  If you're trying to connect to an enpoint 'https://localhost:4443/' using a cert 'machinename', then it will throw.

    You can create a self-signed cert using makecert with the -r switch if you need to do that.

    See this for further info:

    http://msdn2.microsoft.com/en-us/library/bfsktky3.aspx

    Thanks!

    Scott

    Tuesday, May 30, 2006 11:40 PM

All replies

  • SSL transport security is handled down at a pretty low level.  There's nothing you svcutil you can do to turn off the certification path.  Message level security is a different story.  You can modify how you want to handle cert validation, but not at the transport layer.

    Also, you need to verify that the cert you're using is actually called localhost if that's what you're endpoint is called.  If you're trying to connect to an enpoint 'https://localhost:4443/' using a cert 'machinename', then it will throw.

    You can create a self-signed cert using makecert with the -r switch if you need to do that.

    See this for further info:

    http://msdn2.microsoft.com/en-us/library/bfsktky3.aspx

    Thanks!

    Scott

    Tuesday, May 30, 2006 11:40 PM
  • we discussed this question before,looks like this feature is not available in RC0 and this feature will be available in RC1

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=336675&SiteID=1

    // I spoke to SVCUTIL team,I am sending their response,we support this fetaure in future release

     

    As of RC1(current build), you can configure client credentials for svcutil using the clientCredentials behavior configuration section.  You then add this behavior configuration to the client endpoint for the metadata endpoint.  Something like this:

     

    <configuration>

        <system.serviceModel>

            <client>

                <endpoint binding=”mexHttpsBinding” contract=”IMetadataExchange” behaviorConfiguraition=”MyBehavior” />

            </client>

            <behaviors>

                <endpointBehaviors>

                    <behavior name=”MyBehavior”>

                        <clientCredentials>

                            <clientCertificate storeLocation=”LocalMachine” storeName=”My”  findValue=”<your value here>” findType=”<X509FindType>“/>

                        </clientCredentials>

                    </behavior>

                </endpointBehaviors>

            </behaviors>

        </system.serviceModel>

    </configuration>

     

    Prior to RC1 there was no way to use client credentials with svcutil that I know of

     

    Wednesday, May 31, 2006 1:01 AM
  • For testing purposed I decided to slif sign a cert then install and trust it.  After that I didn't have problem.  It looks like the ability to ignore SSL errors with SVCUTIL.exe is forthcoming.

     

    Thanks for your help.

    Thursday, June 01, 2006 7:40 PM
  • In order to control how server certificates are validated when doing MEX, you need to register a ServerCertificateValidationCallback on the System.Net.ServicePointManager.  You should be able to put this code into a client endpoint behavior and then configure it in svcutil's config file.  The behavior will then run before the MEX request is made.

    As far as I know, there is no way to reliably change how the server certificate is validated when doing DISCO.

    Daniel Roth

    Friday, June 30, 2006 8:42 PM
    Moderator
  • I am having the same problem (except I am getting the error when I try to "Add Service Reference" to a VB.NET project.  Would you mind explaining HOW to do what you reccommend? I don't see anything in the Service Configuration tool that allows me to add what you are asking. I can add an endpoint behavior, but I have no idea how to add the specific entries you reccommend and cannot find the answer anywhere! Any help would be greatly appreciated!

    Thanks,

    JFK

    Thursday, January 04, 2007 9:15 PM
  • Hello Norge,

     

    I've attempted to place the certificate into the Trusted Publishers and the Trusted Root stores, but I am still getting the SSL/TLS security error when trying to use svcutil to create a proxy class. I was wondering if there is anything that you can think of that may be causing this.

     

    Thanks!

    Tuesday, January 15, 2008 6:20 PM
  • Just wanted to add that Madhu's suggestion applies if the endpoint is doing mutual authentication using SSL. If the endpoint is set up for server authentication only (over SSL), you don't need to modify the svcutil.exe.config (to instruct the app to send the client cert for the server to validate).
    Tuesday, August 03, 2010 10:20 AM