How to: use an SSL certificate to configure the port

When using the WSHttpBinding class (using transport security) to create a self-hosted Windows Communication Foundation (WCF) service, you must also use the X.509 Certificate to configure the port. If you are not creating a self-hosted service, you can host the service on Internet Information Service (IIS. For more information, see HTTP Transmission Security.

To configure the port, the tool used depends on the operating system running on the computer.

If you are running Windows Server 2003 or Windows XP, use the HttpCfg.exe tool. This tool is installed in Windows Server 2003. For Windows XP, you can download this tool from the Windows XP Service Pack 2 support tool (which may be an English webpage. For more information, see Httpcfg Overview (which may be an English webpage ). The Windows support tool documentation (which may be an English webpage) describes the syntax of the Httpcfg.exe tool.

If you are running Windows Vista, use the installed Netsh.exe tool.

This topic describes how to complete the following processes:

• Determine the current port configuration of the computer.
• Obtain the fingerprint of the certificate (the fingerprint of the certificate is required in the following two processes ).
• Bind the SSL Certificate to the port configuration.
• Bind the SSL Certificate to the port configuration and support the client certificate.
• Deletes an SSL certificate from a port number.

Note that privilege management is required to modify certificates stored on computers.

Determine how to configure the port

1. In Windows Server 2003 or Windows XPQueryAndSslUse HttpCfg.exe to view the current port configuration, as shown in the following example.

   httpcfg query ssl

2. In Windows Vista, use Netsh.exe to view the current port configuration, as shown in the following example.

   netsh http show sslcert

Obtain the certificate fingerprint

1. Use the certificate MMC snap-in to find the X.509 certificate used for client authentication. For more information, see How to: View certificates using the MMC snap-in.

2. The fingerprint of the access certificate. For more information, see How to: retrieve the fingerprint of a certificate.

3. Copy the certificate fingerprint to a text editor, such as Notepad.

4. Removes all spaces between hexadecimal characters. One way to do this is to use the "search and replace" feature of the text editor to replace each space with a null character.

Bind the SSL Certificate to the port number

1. In Windows Server 2003 or Windows XP, use the "set" command of HttpCfg.exe to bind the certificate to the port number in the Secure Socket Layer (SSL) storage area. This tool uses fingerprint to identify the certificate, as shown in the following example.

   httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6

   • -IThe switch syntax isIP:PortIndicates that the tool sets the certificate to port 8012 on the computer. In addition, you can replace the four zeros in front of the port number with the actual IP address of the computer.
   • -HThe fingerprint of the specified certificate.

2. Use Netsh.exe in Windows Vista, as shown in the following example.

   netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF} 

   • CerthashThe parameter specifies the fingerprint of the certificate.
   • IpportThe parameter specifies the IP address and port. The function is similar to that of Httpcfg.exe.-ISwitch.
   • AppidThe GUID used to identify the application.

Bind the SSL Certificate to the port number and support client certificates

1. In Windows Server 2003 or Windows XP, to support clients that use X.509 certificates for authentication at the transport layer, follow the steps above, but another command line parameter needs to be passed to HttpCfg.exe, as shown in the following example.

   httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6 -f 2

   -FThe switch syntax isNWhere n is a number between 1 and 7. If the value is 2, you can enable the client certificate at the transport layer, as shown in the preceding example. 3 to enable client certificates and map these certificates to Windows accounts. See the "httpcfg.exe help" to obtain other values.

2. In Windows Vista, to support clients that use X.509 certificates for authentication at the transport layer, follow the previous steps, but provide another parameter, as shown in the following example.

   netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF} clientcertnegotiation=enable

Delete the SSL Certificate of the port number

1. Use HttpCfg.exe or Netsh.exe to view the port and all bound fingerprints on the computer. To output the information to the disk, use the Redirect character ">", as shown in the following example.

   httpcfg query ssl>myMachinePorts.txt

2. In Windows Server 2003 and Windows XP, use the HttpCfg.exe tool andDeleteAndSslKeyword. Use-ISwitch specifiedIP:PortNumber, use-HSpecifies the fingerprint.

   httpcfg delete ssl -i 0.0.0.0:8005 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6

3. Use Netsh.exe in Windows Vista, as shown in the following example.

   Netsh http delete sslcert ipport=0.0.0.0:8005