1

I created wcf service that should work with using certificates. My test where I’m using self signed certificates works perfect, but all changes when I’m trying to run it on the server, where certificates generates by CA. I generated client and server certificates by using CA, and after that I exported server certificate to “Trusted people” folder. (Both certificates I placed to LocalMachine directory). Also I have granted all necessary permissions to certificate.

The problem appears when I’m running client program where I'm getting exception:

The X.509 certificate CN=xxxx is not in the trusted people store.

Here is my server config

  <services>
    <service behaviorConfiguration="MyServiceBehavior" name="PoswsService">
     <endpoint address="http://xxxx/PoswsService.svc" binding="wsHttpBinding" bindingConfiguration="MyServiceBinding"
      contract="IPoswsService" />
     <endpoint address="http://xxxx/mex" binding="mexHttpBinding" name="MetadataBinding"
      contract="IMetadataExchange" />
    </service>
   </services>
     <behaviors>
        <serviceBehaviors>
           <behavior name="MyServiceBehavior">
              <serviceCredentials>
                 <clientCertificate>
                    <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="Online"/>
                 </clientCertificate>
                 <serviceCertificate findValue="xxxxxxxxxxxxxxxxxxxxx" storeLocation="LocalMachine"
                    storeName="My" x509FindType="FindBySerialNumber" />
              </serviceCredentials>
              <serviceMetadata httpGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
           </behavior>
        </serviceBehaviors>
     </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="MyServiceBinding">
            <security>
                <message clientCredentialType="Certificate"/>
            </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

Here is client config

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_IPoswsService" 
                bypassProxyOnLocal="false" transactionFlow="false" >
                <security mode="Message">
                    <transport clientCredentialType="Windows" proxyCredentialType="None"
                        realm="" />
                    <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                        algorithmSuite="Default" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://xxxx/PoswsService.svc"
            binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IPoswsService"
            contract="TestService.IPoswsService" name="WSHttpBinding_IPoswsService" behaviorConfiguration="CustomBehavior">
            <identity>
                <certificate encodedValue="long word" />
            </identity>
        </endpoint>
    </client>

  <behaviors>
    <endpointBehaviors>
      <behavior name="CustomBehavior">
        <clientCredentials>
          <clientCertificate findValue="xxxxxxxxxxxxxxxxxxx" x509FindType="FindBySerialNumber" storeLocation="CurrentUser" storeName="My"/>
          <serviceCertificate>
            <authentication certificateValidationMode="PeerTrust"/>
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors>
</system.serviceModel>

Did someone know where can be my mistake ?

Moroz
  • 217
  • 1
  • 3
  • 6

2 Answers2

1

Trusted People is one of several certificate stores that exists on Windows. In the start menu, search for Manage computer certificates, and you'll find it. Just install the certificate to that location.

Certificate store showing the Trusted People Location

jpaugh
  • 6,634
  • 4
  • 38
  • 90
-1

I don't have a lot of WCF experience, but generally, you want to place the CA cert in the trusted location. The client should have its own trusted location and the CA cert will need to go there too. And if this is a production service, you'll want to change the certificateValidationMode to "ChainTrust" for both client and server, which means it will trust certificates that chain up to the CA cert. "PeerTrust" means you just place the actual cert you want to trust in the trust locations. This page may be helpful to look at.

gtrig
  • 12,550
  • 5
  • 28
  • 36