4

I have a self-hosted WCF service with TCP binding, now trying to layer on SSL.

The cert I got from the CA has two values for "Subject Alternative Name":

www.mysite.com
mysite.com

I only want to present "mysite.com" to WCF clients, somehow this www.mysite.com (which the CA added, I did not ask for www.mysite.com).

I am using the below code server-side. What do I have to tweak to "hide" the www.mysite.com address?

svc.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.CurrentUser , StoreName.My , X509FindType.FindBySubjectName , "mysite.com" );

So right now when the client connects, I get

"Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'mysite.com' but the remote endpoint provided DNS claim 'www.mysite.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'www.mysite.com' as the Identity property of EndpointAddress when creating channel proxy. "

I don't want the client to know anything about www.mysite.com. I only want them to use what the serve presents, and I want the sever to only present mysite.com.

Snowy
  • 5,942
  • 19
  • 65
  • 119
  • 1
    This is a bug: http://connect.microsoft.com/VisualStudio/feedback/details/683174/wcf-x509-certificate-validation-only-checks-last-dnsname-in-subject-alternative-name – UserControl Feb 17 '14 at 08:33

1 Answers1

0

Why do you want to hide it? A certificate with SAN alternatives means it is value for all of those FQDNs, so it will work on both www.mysite.com and mysite.com.

Additionally from the looks of your call to SetCertificate the subject name of the certificate is what you want, mysite.com and that's what's checked first.

The full text of the error message comes in the form of

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'X' but the remote endpoint provided DNS claim 'Y'

Now this has nothing to do with the certificate, but the host that IIS is configured for, or, in the case of self hosting, the host/machine Windows is configured to be. You can override the host that WCF will use by adding a new configuration setting for the endpoint;

<identity>
    <dns value="mysite.com"/>
</identity>

or setting it in code when you create the endpoint.

blowdart
  • 55,577
  • 12
  • 114
  • 149
  • I want to hide it because my client apps are looking for mysite.com not www.mysite.com. I edited my original text to include the full error message. Thanks. – Snowy Sep 28 '11 at 17:30