ServiceCertificate - Private Key & Permissions


  • I am developing a proof of concept WCF application.  I am trying to customise UserNamePasswordValidator.

    So i have setup my Services as a console app.  Setup a endpoint (using net.tcp).  I have setup the config file to use my custom UserNamePasswordValidator.  However when Host.Open is called the service is erroring saying a certificate is required.  So i configure a certificate in the store (with private key) and then point the serviceCredntials to it.

    The service is still crashing on Host.Open however now it is saying

    "must have a private key that is capable of key exchange. The process must have access rights for the private key."

    In the certificate manager it says the cert does have a private key, and i have used the WSE3 tool to find the private key and set permissions on it.  (Basicly given everyone, Network Service, various user accounts full control for the sake of this test).  However i am still getting the error.

    Any ideas what else i could try?



    Tuesday, November 21, 2006 10:57 AM

All replies

  • Hello.

    What is the value of the "Key usage" extension of the service certificate?

    Pedro Felix
    Tuesday, November 21, 2006 11:07 AM
  • Its Digital Signature (80).  However the icon next to 'Key Usage' has a little warning icon.

    If i go into the certificate properties, under the general tab, under certificate purposes it has "Enable all purposes for this certificate".  However if i only enabled some purposes the only option it gives me is Code Signing.

    This certificate is one from Verisign.  I am starting to think that i might need a differant sort of certificate, however i cant see any other certificate types on the Verisign site.



    Tuesday, November 21, 2006 11:32 AM
  • Hello.

    The key usage must allow for "Key Encipherment". The "little warning icon" means that the key usage extension is marked as "critical". This means that it cannot be ignored.
    Yes, probably you will need a certificate with a diferent key usage. A certificate intended for SSL servers will have the correct key usage.

    Hope it helps
    Pedro Felix
    Tuesday, November 21, 2006 2:29 PM
  • Hi,

    WCF needs a certificate with the following characteristics,

    KeyUsage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)

    Enhanced Key Usage: Client Authentication (

    Usually, a SSL certificate does not provide all these attributes. For instance, a verisign SLL certificate only provide these ones

    KeyUsage: Digital Signature, Key Encipherment (a0)

    Enhanced Key Usage: Server Authentication ( Client Authentication (



    Tuesday, November 21, 2006 3:21 PM
  • Hello.

    Why does WCF requires that a service side certificate has: enhanced key usage with "client authentication" and Non-Repudiation?

    Pedro Felix
    Tuesday, November 21, 2006 4:13 PM
  •  Pedro Felix wrote:
    Why does WCF requires that a service side certificate has: enhanced key usage with "client authentication" and Non-Repudiation?

    WCF itself doesn't check EKUs.  Cert requirements vary with the binding, hosting environment, and what the client is, but there are three main cases.  1) https transport, where http.sys governs cert requirements; 2) certificate based message security, where certs with exchange keys are required since the certs are used for both signature and encryption; 3) browsing WCF WSDL over https using IE, in which case IE requires the server SSL cert hold the ServerAuthentication EKU.  I don't know of any cases where a nonrepudiation EKU is required.

    Monday, November 27, 2006 6:22 PM
  • In our case, our CA, Symantec, issued an SSL cert whose "Key usage" extension was set to critical and displayed with "Exclamation point" (exclamation mark) in the cert's Details tab. As explained below, Internet Explorer (or the unmanaged ActiveX control) launched from Silverlight, itself launched from managed .NET code, failed to load the page, stating that a "certificate error" had occurred, a very vague message.

    RFC5280's section 4.2 states, "Each extension in a certificate is designated as either critical or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized."

    • Edited by SeanW2016 Tuesday, May 10, 2016 10:54 AM clarifying the answer
    Monday, May 9, 2016 10:13 PM