Key points:
1. Ensure that the signature is set on the client.
Client. ClientCredentials.ClientCertificate.SetCertificate (Storelocation.currentuser, storename.my, X509findtype.findbysubjectname, CertName);
2. Write your own validator, inherit X509certificatevalidator
public class myx509certificatevalidator:x509certificatevalidator{ string allowedissuername; Public Myx509certificatevalidator (String allowedissuername) { if (allowedissuername = = null) { throw new ArgumentNullException ("Allowedissuername"); } This.allowedissuername = Allowedissuername; } public override void Validate (X509Certificate2 certificate) { //Check This there is a certificate. if (certificate = = null) { throw new ArgumentNullException ("certificate"); } Check that the certificate issuer matches the configured issuer. if (Allowedissuername! = certificate. Issuername.name) { throw new securitytokenvalidationexception ("Certificate is not issued by a trusted Issuer ");}}}
3. On the server side, embed the validator you have written into the ServiceHost
using (ServiceHost ServiceHost = new ServiceHost (typeof (CalculatorService))) { ServiceHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509certificatevalidationmode.custom; ServiceHost.Credentials.ClientCertificate.Authentication.CustomCertificateValidator = New Myx509certificatevalidator ("cn=contoso.com"); Servicehost.open (); Console.WriteLine ("Service started, press ENTER to stop ..."); Console.ReadLine (); Servicehost.close (); }
Finally, attach the official MSDN Note (original source)
https://msdn.microsoft.com/en-us/library/ms733806 (v=vs.110). aspx
WCF customizes its own signature validation logic