locked
WCF Message Security with SSL Certificate RRS feed

  • Question

  • Hello.

       So far I have been using a test certificate to enable Message Security with Custom Username/Password credentials. All worked well. Now, I got a standard SSL certificate from GoDaddy and want to replace the test certificate with it. The certificate is fine for SSL, I managed to use it to enable https on a site. However I can't manage to make the WCF work with it! I did all needed adjustments like change the dns on the client's identity, set the service to work with the new certificate etc. However it doesn't work. It seems like s standard SSL certificate is not enough or something. Anything I might miss?

    Thank you!

    Adam Porat

        

    Wednesday, August 1, 2012 2:56 PM

Answers

  • Hi,

    Did you install the certificate to the machine store or specified user store? How did you set the service to work with the new certificate? In your case, the process account may doesn't have permission to access the private key associated with the new certificate. You can refer to the following article to check the required permissions:

    How to: Make X.509 Certificates Accessible to WCF

    http://msdn.microsoft.com/en-us/library/aa702621.aspx

    Note: the default process identity on IIS7.5 is ApplicationPoolIdentity.


    Leo Tang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Proposed as answer by Bogdan Verbenets Tuesday, August 7, 2012 8:34 AM
    • Marked as answer by LeoTang Wednesday, August 8, 2012 6:15 AM
    Thursday, August 2, 2012 4:26 AM

All replies

  • Hi,

    Did you install the certificate to the machine store or specified user store? How did you set the service to work with the new certificate? In your case, the process account may doesn't have permission to access the private key associated with the new certificate. You can refer to the following article to check the required permissions:

    How to: Make X.509 Certificates Accessible to WCF

    http://msdn.microsoft.com/en-us/library/aa702621.aspx

    Note: the default process identity on IIS7.5 is ApplicationPoolIdentity.


    Leo Tang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Proposed as answer by Bogdan Verbenets Tuesday, August 7, 2012 8:34 AM
    • Marked as answer by LeoTang Wednesday, August 8, 2012 6:15 AM
    Thursday, August 2, 2012 4:26 AM
  • Hi,

    Thanks for your answer! I actually did do everything right, except for this weird phenomenon:
    The SSL certificate actually supports 3 dns's: hrms.me; www.hrms.me; app.hunterhrms.com (you can view this certificate in your browser via any of these domains). However, the WCF service could only work with app.hunterhrms.com. For some reason, the service's "DNS claim" was always app.hunterhrms.com, regardless of which "Host Name" I gave it in the site's "Edit Binding". In other words, even though the service's address included www.hrms.me (which is actually the name of the certificate), its "DNS claim" was still app.hunterhrms.com.

    Seems like a bug (or feature...) in the SSL certifcate, doesn't it?

    Friday, August 24, 2012 9:43 AM
  • Hi Adam,

    It seems you hit the following know issue:

    WCF X509 certificate validation only checks last DNSName in Subject Alternative Name

    https://connect.microsoft.com/VisualStudio/feedback/details/683174/wcf-x509-certificate-validation-only-checks-last-dnsname-in-subject-alternative-name


    Leo Tang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, August 24, 2012 10:04 AM
  • Bingo!! The working domain is indeed that last one in the Subject Alternative Name.

    Hope this thread will help others avoid the frustration.

    Thanks a lot.

    Friday, August 24, 2012 10:20 AM