none
SSL in WCF with Self signed certificate RRS feed

  • Question

  • We have built a WCF service using .net 4.5 and deployed the same to IIS 7.5 on a Windows 2008 R2 Server.  The service is hosted on IIS and a self signed certificate is used for SSL-enabled communication with the service. The service authenticates client applications via a username token and the endpoints use 'TransportwithMessageSecurity'. The WCF client (also built using .net 4.5) invokes this service. I tested the WCF service on a local web browser and everything (username token authetication, service methods, SSL) worked fine. When I moved the WCF service to a remote web server (IIS 7.5 on a Windows 2008 R2 Server), I ran into this problem. When I tried to access the service from the client, I got an exception that read:

    Could not establish trust relationship for the SSL/TLS secure channel with authority <My Server Name>.

    Inner exception message was: The remote certificate is invalid according to the validation procedure.

    So I tried to access the WCF URL in internet explorer. The web browser prompted me that the certificate is not trusted and I should install the certificate to Trusted Root Authorities Store. So I brought up the certificate from the address bar and installed it to the Trusted Root Authorities Store. The SSL connection worked fine.

    My question is - is there a better way to establish SSL communication with the WCF services without installing the certificate on the client machine? This will not be an issue in production because we will use certificates issued by a well known CA. But we have to use self-signed certificate in development and test and installing certificate on each client appears to be cumbersome. Please help.

    Thanks.

    Wednesday, May 28, 2014 6:59 PM

Answers

  • Hi,

    From your description, I know that you want to establish the SSL communication in WCF without installing the certificate. But you will need to install the certificate in the service if you do not use the windows authentication, because when transport security is used (SSL), service credentials are negotiated through the transport protocol. If the Windows credentials as service credentials is not used, then a service certificate must be specified.

    But we can do not install the client certificate, we can simply turn off certificate validation in the client using the ServicePointManager - just return true from the server certificate validation callback.

    Also please try to check this article in which the client does not install the certificate.

    #How to: Configure an IIS-hosted WCF service with SSL:
    http://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, May 29, 2014 6:53 AM
    Moderator
  • I added this code in the WCF client and the code works perfectly. Since we should not ignore certificate errors in production, its probably a good idea to not override the default WCF behavior in production. This is the code.

    If DevelopmentMode Then
    'set up service point manager to accept SSL connection based server certificates that are not issued by    'certification authorities
    ServicePointManager.ServerCertificateValidationCallback = Function(obj As [Object], _
                                                                                         certificate As X509Certificate, _
                                                                                        chain As X509Chain, errors As SslPolicyErrors) (True)
    End If

    Thanks a bunch for your help.

    Monday, June 2, 2014 8:52 PM

All replies

  • Hi,

    From your description, I know that you want to establish the SSL communication in WCF without installing the certificate. But you will need to install the certificate in the service if you do not use the windows authentication, because when transport security is used (SSL), service credentials are negotiated through the transport protocol. If the Windows credentials as service credentials is not used, then a service certificate must be specified.

    But we can do not install the client certificate, we can simply turn off certificate validation in the client using the ServicePointManager - just return true from the server certificate validation callback.

    Also please try to check this article in which the client does not install the certificate.

    #How to: Configure an IIS-hosted WCF service with SSL:
    http://msdn.microsoft.com/en-us/library/hh556232(v=vs.110).aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, May 29, 2014 6:53 AM
    Moderator
  • Hi Amy,

    Thanks for the prompt response. Do you have a code or configuration sample that shows how server certificate validation in the client can be turned off?

    As far as I understand, the article does not apply to my scenario since we are not authenticating clients by using certificates. We do not install client certificates and our solution follows the same steps as shown in the article. We are using custom token that contains username and password and that is used by the service to authenticate the client.

    Thanks

    Friday, May 30, 2014 4:24 PM
  • I found this link where this is done in application configuration setting. I'll check this out. Hopefully we can use configuration transformation to include this setting only in development.

    http://weblog.west-wind.com/posts/2011/Feb/11/HttpWebRequest-and-Ignoring-SSL-Certificate-Errors


    Friday, May 30, 2014 4:43 PM
  • I added this code in the WCF client and the code works perfectly. Since we should not ignore certificate errors in production, its probably a good idea to not override the default WCF behavior in production. This is the code.

    If DevelopmentMode Then
    'set up service point manager to accept SSL connection based server certificates that are not issued by    'certification authorities
    ServicePointManager.ServerCertificateValidationCallback = Function(obj As [Object], _
                                                                                         certificate As X509Certificate, _
                                                                                        chain As X509Chain, errors As SslPolicyErrors) (True)
    End If

    Thanks a bunch for your help.

    Monday, June 2, 2014 8:52 PM
  • Additional note just for the sake of completion:

    This code required adding reference to system.security library and the uses the following import statements.

    Imports System.Net
    Imports System.Net.Security
    Imports System.Security.Cryptography.X509Certificates

    Monday, June 2, 2014 8:55 PM
  • Hey, no need to bypass certificate validation. Just install certificate in Trusted Root Store.

    Here is how you can do it.

    1. Browse your URL. Click on Certificate error--> View Certificates


    1. Click on View certificate
    2. Click on Install Certificate
    3. Certificate import wizard will open-->Next
    4. Select "Place all certificates in following store"-->Browse
    5. Select "Trusted Root Certification Authorities"-->OK
    6. You are done..!! Refer below screenshot

    Thursday, July 24, 2014 11:01 AM
  • Hi Sagar,

    Thanks for the suggestion. I did not go this route because I do not want to force all clients of this service to install the certificate to their trusted store. In other words, if the WCF client is executed from two or more machines, I'll have to install the certificate in trusted root store of all the machines. Overriding the default behavior is easier because I can execute the WCF client from any machine and the WCF client will ignore the fact that it is using a non-trusted certificate (self signed certificate in this case). An extension of this implementation is to override the default behavior in the callback method to check for specific dmain name instead of returning a hard code 'true' value.  

    Thanks


    Tuesday, July 29, 2014 4:54 PM