none
How to authenticate Client X509 Certificate under ssl communication? RRS feed

  • Question

  •  

    I've got a self host WCF Service, using BasicBinding, the Security.Mode is set to Transport and ClientCredentialType is none.  I installed a SSL certificate generated by the Certificate server, and configured it with the HttpCfg tool. It was working fine, and I was able to make the remote call from my client application under a secure channel.

    Now I want to authenticate my client using the x509 certificate, not allowing the anonymous access.  At my client application (v1.1 .net  winform), I added the following code:

    _proxy.ClientCertificates.Add(Certificate);

    At my service side, I changed the binding’s ClientCredentialType to certificate.

    When I made the call from my client to service again, I got the “403 Unauthorization error”.  The certificate used is “SingedByCA.cer” and generated using the “makeCert” tool. (I able to see the SingedByCA.cer installed in the CurrentUser/Personal, and TempCA installed in the currentuser/trust root certificate authorities.

    makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer

    makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr currentuser -ss My

    I checked the WinFX SDK documentation, I found this statement:

    When using HTTPS to communicate between a client and a service, the certificate that the client uses to authenticate to the service must support chain trust. That is, it must chain to a trusted root certificate authority.  If not, the HTTP layer raises a WebException with the message "The remote server returned an error: (403) Forbidden."

    But isn’t my tempCA already in the trusted root, so How should I troubleshoot this error?

    By the way, can anyone recommend a book to learn the wcf security?

    Sunday, April 29, 2007 4:29 PM

All replies

  • Take a look at this post http://blogs.msdn.com/sajay/archive/2007/01/05/thoughts-on-basichttpbinding-security-and-ssl.aspx

    See it you are able to proceed after this.

    Sunday, April 29, 2007 6:23 PM
    Moderator
  •  

    I have read your blog. Thanks for your reply.

     

    For the RemoteCertificateValidationCallback  Callback, it is implemented in the client side to ignore the non-cahin trusted certificate? What if my client is build on framework 1.1? I tired to check if the same callback is available on the v1.1, but seems the ServicepointManager in v1.1 do not have such a callback.

     

    If makeCert can't generate a Chain trust certificate for me for client authentication use, is anyway i can generate it and use for production within my own network domain, does Cert Service on windows 2003 generated cert can fulfil the requirement?

     

     

     

    Monday, April 30, 2007 2:12 AM
  • Anyone got idea?
    Thursday, May 17, 2007 3:59 AM