How to pass a chain of certificates? RRS feed

  • Question

  • Hi,

    I am trying to write a WCF client for a Java Web service that uses Mutual SSL authentication.

    I have been told by the creator of the Java web service that I am supposed to send the client certificate AND the chain of CA certificates to the server. I cannot find an example of how to do this (sending just the client certificate is easy).

    How do I send a chain of multiple certificates?

    The current code to create the binding looks like this:

        Public Function MyNewWSHttpBindingMockServer() As WSHttpBinding
            Dim myBinding As New WSHttpBinding
            myBinding.Security.Mode = SecurityMode.Message
            myBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate
            ' Disable credential negotiation and the establishment of 
            ' a security context.
            myBinding.Security.Message.NegotiateServiceCredential = False
            myBinding.Security.Message.EstablishSecurityContext = False
            Return myBinding
        End Function

    And i add the client certificate like this:

            IssuerClient.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "")

    This all works fine, but I get "Null Cert Chain" errors back from the Java service, and these tests both return FALSE:

            bResult = ch.Build(IssuerClient.ClientCredentials.ClientCertificate.Certificate)
            bResult2 = IssuerClient.ClientCredentials.ClientCertificate.Certificate.Verify()

    Can anyone point me in the right direction please?

    Wednesday, March 4, 2015 10:49 AM


  • Seems that your issue is actually that your clients do not have a certificate that you can authenticate them with.  In the scheme that you are shooting for, each client will need to have a private key that identifies them, and the server/service needs to have the corrisponding public key to verify the signature (at least installed in the key store).

    Your current setup seems that each client has the public key for the server as a trusted server.  So you can get them to connect and encrypt over SSL, and the client will trust the server, but the server actually doesn't know who the client is, or at least can't authenticate them without something to identify them.  Your previous way, of username and password, is how they were identified before, but now with x.509 certificates, each person that had a username-password combo will need a unique certificate with a private key, in order to do the authentication.

    Then, you will need to either map those users to a windows/LDAP account for easy administration and access control, or you will need to implement a custom validator (and possibly IIdentity, principal, and serivce credentials) in order to validate the private certificates and "log in" the user.

    I hope this has been a bit more helpful to you.  Here is one more on x509 custom auth and val

    Monday, March 9, 2015 5:58 AM