Summary of the Application of WCF X.509 Certificate verification

Source: Internet
Author: User

I recently configured a WCF X.509 Certificate for verification. I want to implement SSL encryption on the server. Then, when the client calls the service, I need to present my digital certificate to prove that I am a legal user.
The configuration process is very troublesome, not as described in the book. I have summarized the following notes:

In IIS, for a WCF Service site with a server certificate, you can require SSL connections and 128-bit encryption, but not client certificates.
In the WCF Service Section, you cannot use wsdualhttpbinding. You must use one channel for SSL, And the other channel for security reasons. errors may occur when the service is running.

The configuration process consists of the following steps:
1. Configure the iis ssl server certificate
2. Obtain and Set client certificates
3. Configure the server and client of WCF

The above step 1 involves IIS applications, which is not the focus of this article. I believe that friends who have played IIS and Certificate Authority are no stranger and will not describe it. It is easier to obtain the certificate in step 1.
The new certificate is usually installed under CURRENT_USER \ My on the local machine by default. Non-System Administrators cannot obtain the private key, the WCF client needs to obtain the private key of the certificate to prove to the server.
Your identity, and the non-local administrator account is used when the WCF client is running. As a result, the WCF reports an error where the certificate cannot be found. To solve this problem, we need to use
The tool of "Windows HTTP service certificate Configuration tool", winhttpcert0000.exe), specifies the permission for the certificate. This toolkit is included in Windows Server 2003 Resource Kit tools
Can download to Microsoft, address: Familyid = 9d467a69-57ff-4ae7-96eeb18c4790cffd & displaylang = en
After the download, the command line is similar to the following:
Winhttpcertcmd.exe-g-C CURRENT_USER \ My-s" Issued_to_name" - Domain \ ACCOUNT
That is to say, grant the account the permission to obtain the private key, such as ASPnet and networkservice, and-S is followed by the condition to be searched.
Please check the usage of winhttpcert0000.exe on the Internet. I have found an msdn document, but I forgot to save the link address (Khan ....)
After assigning permissions, it is best to turn off the IIS process so that the setting takes effect quickly. We also need to configure the certificate required by the Service.
After completing step 1, step 2 is easy to handle. paste my configuration.


1 < Behaviors >
2 < Servicebehaviors >
3 < Behavior Name = "Memberservicebehavior" >
4 < Servicemetadata Httpgetenabled = "False" Httpsgetenabled = "True" >
5 < Servicedebug Includeexceptiondetailinfaults = "False" />
6 < Servicecredentials >
7 < Servicecertificate Storename = "My" Storelocation = "Localmachine" X509findtype = "Findbysubjectname"  
8 Findvalue = "Membershipapi" />
9 </ Servicecredentials >
10 </ Behavior >
11 </ Servicebehaviors >
12 </ Behaviors >


1 < Bindings >
2 < Wshttpbinding >
3 < Binding Name = "Wshttpcredentialbinding" >
4 < Security Mode = "Transportwithmessagecredential" >
5 < Transport Clientcredentialtype = "Certificate" />
6 < Message Clientcredentialtype = "Certificate"   />
7 </ Security >
8 </ Binding >
9 </ Wshttpbinding >
10 </ Bindings >


1 < Behaviors >
2 < Endpointbehaviors >
3 < Behavior Name = "Clientcredentialbehavior" >
4 < Clientcredentials >
5 < Clientcertificate Storename = "My" Storelocation = "Currentuser" Findvalue = "Memberapiclient" X509findtype = "Findbysubjectname"   />
6 < Servicecertificate >
7 < Authentication Certificatevalidationmode = "Chaintrust" />
8 </ Servicecertificate >
9 </ Clientcredentials >
10 </ Behavior >
11 </ Endpointbehaviors >
12 </ Behaviors >

Although the client still can see the metadata endpoint of the service without providing a certificate (mainly because IIS is not configured to require a client certificate ),
If you do not have a certificate, an error occurs, which is basically achieved.
Finally, I would like to talk about the article about authentication certificatevalidationmode which is better configured as preetrust. It can be verified as long as it is in the list of trusted persons, but it has been tested by me.
This does not seem to be the case. In my clients and services, there is no difference in setting the authentication certificatevalidationmode value to preetrust or chaintrust.
Find your own certificate and provide it to the service. Otherwise, an error will occur. Later, I found a text on msdn to explain it as follows:

<Behavior name = "clientcertificatebehavior">
<! --
The clientcredentials behavior allows you to define a certificate to present to a service.
A certificate is used by a client to authenticate itself to the service and provide message integrity.
This configuration references the "" Certificate installed during the setup instructions.
<Clientcertificate findvalue = "" storelocation = "currentuser" storename = "my" x509findtype = "findbysubjectname"/>
<! --
Setting the certificatevalidationmode to peerorchaintrust means that if the certificate
Is in the user's trusted people store, then it is trusted without login Ming
Validation of the certificate's issuer chain. This setting is used here for convenience so that
Sample can be run without having certificates issued by a certificate authority (CA ).
This setting is less secure than the default, chaintrust. The security implications of this
Setting shoshould be carefully considered before using peerorchaintrust in production code.
<Authentication certificatevalidationmode = "peerorchaintrust"/>

It seems that sometimes you still need to look at English to learn WCF well .....

Update: According to jillzhang, and verify the certificate. You do not need to place the Certificate in localmachine.Winhttpcertcmd.exeThe configuration can be found in the WCF, and the certificate error cannot be found without holding it. Thank you, jillzhang.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.