Click here to Skip to main content
Click here to Skip to main content

Tagged as

Simple WCF - X509 Certificate

, 29 Apr 2008 CPOL
Rate this:
Please Sign up or sign in to vote.
how to create Temporary X509 certificate and also to implement X509 Certificate security in WCF service and client


This article will describe how to create Temporary X509 certificate and to implement X509 Certificate security in WCF service and client. This configuration can be simply done via in config file itself.

Using the Code

Creating X509 Certificate:

makecert.exe this tool will helpful to create X509 certificate. This tool is packed along with Microsoft .Net 2005 SDK and also be downloaded from micosoft site.

Step1: creating the temporary certificate TempCA.cer
Step2: Create SignedByCA.cer which is digitally sign and authorize by TempCA certificate
Step3: Import the certificate TempCA.cer using MMC in to "Trusted Root Certificate Authorities" folder (Localmachine)
Step4: Import the certificate SignedByCA.cer in to the personal folder

step1: makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
step2: makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr localmachine -ss My

step3: Go to Start -> Run -> Type MMC -> File -> Add/Remove Snap-In -> StandAlone Tab -> Add Button -> Certificates -> Computer Account

step4: Import SignedByCA.cer in to Personal Folder

Export Certificate:To export the created certifciate to outside world, it is necessary to export the private key also. Thus it is possible to convert the certificate .cer and .pvk to .pfx (i.e TempCA.cer and TempCA.pvk to TempCA.pfx). Equivalent tool for this conversion is pvk2pfx.exe. This will be available in your <programfile>/Visual Studio 8/Common7/Tools/bin/pvk2pfx.exe

cmd> pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer      
this open wizard which will help to create .pfx file. Then you can distribute the PFX file to client

Access Permission X509 certificate:
If WCF services are hosted in IIS or Windows service or so on, based on the hosted environment specific permission to be give for X509 certificate. For ex: if WCF service is hosted in IIS then ASPNET user (XP) permission must be given to the certifciate. Thus, this can be achived using Winhttpcertcfg.exe which will give the permission to specified certificate. Seperate download is available for this tool and also this tool is downloadable along this article itself.

//for grant ASPNET permission to TempCA.cer
cmd>winhttpcertcfg -g -c LOCAL_MACHINE\MY -s TempCA -a ASPNET

//for grant ASPNET permission to TEMPCA.pfx
cmd>winhttpcertcfg -i TempCA.pfx -g -c LOCAL_MACHINE\My -s TempCA -a ASPNET     
WCF Server Config:

Configure the WCF service to support X509 certificate as one of the security process. possible to configure the client level certificate authority in the server config file itself. Thus at the time of creating proxy class using svcutil.exe config file will be generated with certificate information (token).

<service name="service1" behaviorConfiguration="beh1">
         <endpoint address="secure" contract="Icontract1" binding="wsHttpBinding" bindingConfiguration="binding1"></endpoint>
         <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
         <behavior name="beh1">
              <serviceDebug includeExceptionDetailInFaults="true"/>
              <serviceMetadata httpGetEnabled="true"/>
                <!--<span class="code-comment">certificate storage path in the server --></span>
                <serviceCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine"  storeName="My"/>
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>
                <!--<span class="code-comment">certificate storage path in the client --></span>
                  <certificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>
        <behavior name="beh1">
            <!--<span class="code-comment">certificate storage path in the client --></span>
            <clientCertificate findValue="TempCA" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My"/>
              <authentication certificateValidationMode="PeerOrChainTrust"/>
        <binding name="binding1">
          <security mode="Message">
            <!--<span class="code-comment">security mode of certificate --></span>
            <message establishSecurityContext="false" clientCredentialType="Certificate"/>

Client Config:(Auto generated using svcutil.exe)

Sample WCF client config file generated using svcutil.exe

<!--<span class="code-comment">app.config--></span>
      <endpoint address="http://localhost/service1/servic1.svc/secure"
        binding="wsHttpBinding" bindingConfiguration="bind1"
        contract="Icontract1" name="WSHttpBinding_Icontract1">
          <certificate encodedValue="AwAAAAEAAAAUAAAAOTDk6LO4LsMQaY+65EgACb==" />

After successful implementation of above points, when any request send from client to the server then the message will be digitally signed by the certifciate present in the client and the server

Points of Interest

I have interested to start security implementation with WCF


April 29, 2008. First release


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Technical Lead Infosys Technologies
India India
No Biography provided

Comments and Discussions

QuestionHow .Net call a self-sign java web service Pinmemberlpbinh11-Mar-12 23:43 
QuestionWhere is SignedByCA used? PinmemberRajeshjoseph21-Jan-12 4:58 
QuestionSOAP Security negociation FAIL !! PinmemberMember 775853116-Mar-11 3:40 
GeneralASPNET account could not be found Pinmembercilker2-Feb-11 4:11 
GeneralTest Certificate versus Production Certificate PinmemberDotNet_Naeem28-Aug-09 16:10 
GeneralRe: Test Certificate versus Production Certificate PinmemberDotNet_Naeem31-Aug-09 7:21 
GeneralI only require signing of messages PinmemberRoss1000018-Sep-08 7:14 
GeneralRe: I only require signing of messages [modified] Pinmembermeetsenthilbtech6-Jan-09 23:43 
General'Temporary' Certificate Pinmemberrctaubert9-Aug-08 15:35 
GeneralRe: 'Temporary' Certificate Pinmembermeetsenthilbtech6-Jan-09 23:40 
GeneralRe: 'Temporary' Certificate PinmemberLoona7015-Sep-09 5:18 
Questionwinhttpcertcfg does not work, Access Denied PinmemberRedCatsRic4-Aug-08 5:28 
AnswerRe: winhttpcertcfg does not work, Access Denied Pinmembermeetsenthilbtech6-Jan-09 23:39 
GeneralRe: winhttpcertcfg does not work, Access Denied PinmemberJohn Kenedy S.Kom20-Sep-11 22:53 
GeneralBig help for using wcf with certs from an page! PinmemberCorgalore29-Jul-08 10:32 
GeneralGreat article! But.. PinmemberDavidPrice10-Jun-08 7:38 
AnswerRe: Great article! But.. Pinmembermeetsenthilbtech10-Jun-08 20:15 
GeneralRe: Great article! But.. Pinmembercarlosnajam18-Jul-10 22:52 
GeneralNice but have one question PinmemberSalam Y. ELIAS29-May-08 8:18 
AnswerRe: Nice but have one question Pinmembermeetsenthilbtech29-May-08 19:27 
GeneralRe: Nice but have one question PinmemberNisd4-Jan-10 0:24 
Questiondownloadable source code PinmemberdestructoDave12-May-08 18:41 support PinmemberLoci5-May-08 21:38 
AnswerRe: .net support Pinmembermeetsenthilbtech5-May-08 21:58 
GeneralThank you for tutorial Pinmemberaclar30-Apr-08 12:02 
GeneralRe: Thank you for tutorial Pinmembermeetsenthilbtech1-May-08 19:23 
GeneralReally Nice Pinmembernavalravi30-Apr-08 2:19 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.150331.1 | Last Updated 29 Apr 2008
Article Copyright 2008 by meetsenthilbtech
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid