Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (35)

Securing WCF Services with Certificates

By , 30 Jul 2008
 
Prize winner in Competition "Best ASP.NET article of July 2008"

Introduction

This article provides a step-by-step guide to securing WCF services with certificates. Most articles of this nature use makecert.exe to generate sample certificates. This is great for testing purposes, but what if you want to use certificates that are issued from a Certificate Authority (CA)? This article will show you how to generate certificates with Microsoft Certificate Services and use them to secure your WCF services.

Prerequisites

This article assumes that you know how to create and consume a WCF service.

You should have two separate machines to follow the steps in this article:

  1. Client machine — this can be your development system. You should have the .NET Framework 3.0 or higher installed.
  2. Server machine — this will function as our WCF server as well as a Certificate Authority. (Note that you may want to have a separate server function as the CA.) You should have Windows Server 2003 with the .NET Framework 3.0 or higher installed. If you do not have a separate machine, it is recommended that you create a virtual machine with these specifications. This can be achieved by using Virtual PC 2007.

Section 1: Install Microsoft Certificate Services on the Server

You have two options for obtaining X.509 certificates for which to secure your services:

  1. Purchase a certificate from a trusted certificate authority such as VeriSign, Thawte, RapidSSL, etc.
  2. Create your own certificate authority

This article focuses on the 2nd option by creating certificates using Microsoft Certificate Services. To install Microsoft Certificate Services, follow these instructions:

  1. On the server machine, go to Control Panel > Add or Remove Programs
  2. Select Add / Remove Windows Components
  3. Check Certificate Services and click Next to complete the installation.

    WindowsComponentsCertificateServices.jpg

  4. Select Stand-alone root CA and click Next

    WindowsComponentsCertificateServices2.jpg

  5. Fill out the CA Identifying Information

    WindowsComponentsCertificateServices3.jpg

  6. Complete the installation by accepting the remaining defaults

Section 2: Configure the client to trust the new certificate authority

Windows is preconfigured with a set of trusted certificate authorities. Of course, our new certificate authority isn't in this list. Follow these steps to allow your client machine to trust the new certificate authority.

  1. On the client machine, open a web browser and go to http://<server name>/certsrv. This will bring up a page similar to the following:

    CertificateServicesWeb1.jpg

  2. Click Download a CA certificate, certificate chain, or CRL

    CertificateServicesWeb2.jpg

  3. Click Download CA certificate chain. Save the certnew.p7b file to your file system.
  4. Load the Certificates MMC Snap-In. Note that several steps in this article will require loading this snap-in. The following instructions show how to do this, and they will not be repeated in subsequent sections.

    1. Select Start > Run and type "mmc" to open the Microsoft Management Console
    2. Select File > Add / Remove Snap-in
    3. Click the Add button
    4. Select Certificates and click the Add button
    5. Select Computer Account and click the Next button
    6. Click the Finish button
    7. Click the Close and OK buttons
  5. Expand Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates

    ClientCertificates1.jpg

  6. Right-click the Certificates folder and select All Tasks > Import

    CertificateImport1.jpg

  7. Click Next, then click Browse
  8. Select PKCS #7 Certificates from the Files of type drop down list
  9. Browse to the certnew.p7b file that you saved in step 3. Click the Open button

    CertificateImport2.jpg

  10. Click Next, Next, and Finish. You should now see your CA listed as a Trusted Root Certificate Authority.

    CertificateImport3.jpg

Note: If your WCF server is different than your CA server, you will need to repeat Section 2 for the WCF server machine.

Section 3: Create a Client Certificate

This section explains how to create a certificate for our WCF client.

  1. On the client machine, open a web browser and go to http://<server name>/certsrv
  2. Click Request a certificate
  3. Click advanced certificate request
  4. Click Create and submit a request to this CA
  5. Fill out the form as shown in the image below:

    ClientCertificateRequest1.jpg

  6. Click Submit and accept the warning message. You will see a confirmation that your request has been received and is pending.

    ClientCertificateRequest2.jpg

  7. On the server, select Start > Programs > Administrative Tools > Certification Authority
  8. Expand the CA and click Pending Requests. You should see your client certificate request in the list.

    PendingRequest1.jpg

  9. Right-click the request, select All Tasks > Issue to approve the certificate
  10. On the client machine, go back to http://<server name>/certsrv
  11. Click View the status of a pending certificate request

    PendingRequest2.jpg

  12. Click the Client Authentication Certificate link and accept the warning message.

    PendingRequest3.jpg

  13. Click Install this certificate and accept the warning message.

    At this point, the certificate's public and private key are now installed on the client machine. The next step is to install the certificate's public key on the server.

  14. Load the Certificates MMC Snap-In on the client machine. Follow these instructions to load the snap-in.
  15. Expand Certificates (Local Computer) > Personal and click Certificates

    ExportClientCert1.jpg

  16. Right-click the client certificate and select All Tasks > Export
  17. In the Certificate Export Wizard, click Next, Next, Next, select a file name, Next, and Finish
  18. Copy the exported certificate file to the server
  19. Load the Certificates MMC Snap-In on the server machine. Follow these instructions to load the snap-in.
  20. Expand Certificates (Local Computer) > Personal.
  21. Right-click Certificates, select All Tasks > Import
  22. In the Certificate Import Wizard, click Next, select the file that you exported in step 17, click Next, Next, and Finish. The client's public key should now be installed on the server.

    ImportClientCert1.jpg

Section 4: Create a server certificate

Creating a server certificate is very similar to creating a client certificate, so this section doesn't contain as many screenshots as Section 3.

  1. On the server machine, open a web browser and go to http://<server name>/certsrv
  2. Click Request a certificate
  3. Click advanced certificate request
  4. Click Create and submit a request to this CA
  5. Fill out the form as shown in the image below:

    ServerCertificateRequest1.jpg

  6. Click Submit and accept the warning message. You will see a confirmation that your request has been received and is pending.
  7. On the server, select Start > Programs > Administrative Tools > Certification Authority
  8. Expand the CA and click Pending Requests. You should see your client certificate request in the list.
  9. Right-click the request, select All Tasks > Issue to approve the certificate
  10. Go back to http://<server name>/certsrv
  11. Click View the status of a pending certificate request
  12. Click the Server Authentication Certificate link and accept the warning message.
  13. Click Install this certificate and accept the warning message.
  14. Now, if you try to load your service in a browser, you would likely get an error similar to the following:

    System.Security.Cryptography.CryptographicException: Keyset does not exist
    ArgumentException: The certificate 'CN=My Server Machine' must have a private key that is capable of key exchange. The process must have access rights for the private key.

    To fix this problem, we need to give the ASPNET or NETWORK SERVICE account permission to read the certificate. This can be achieved with the following tool:

    Windows HTTP Services Certificate Configuration Tool

    Once this tool is downloaded, execute one of the following commands (depending on your server configuration). 
    C:\Program Files\Windows Resource Kits\Tools>winhttpcertcfg -g -c
     LOCAL_MACHINE\My -s "My Server Machine" -a ASPNET
C:\Program Files\Windows Resource Kits\Tools>winhttpcertcfg -g -c
     LOCAL_MACHINE\My -s "My Server Machine" -a "NETWORK SERVICE"

    At this point, the certificate's public and private key are now installed on the server machine. The next step is to install the certificate's public key on the client.

  15. Load the Certificates MMC Snap-In on the server machine. Follow these instructions to load the snap-in.
  16. Expand Certificates (Local Computer) > Personal and click Certificates

    ExportServerCert1.jpg

  17. Right-click the server certificate and select All Tasks > Export
  18. In the Certificate Export Wizard, click Next, Next, Next, select a file name, Next, and Finish
  19. Copy the exported certificate file to the client
  20. Load the Certificates MMC Snap-In on the client machine. Follow these instructions to load the snap-in.
  21. Expand Certificates (Local Computer) > Personal.
  22. Right-click Certificates, select All Tasks > Import
  23. In the Certificate Import Wizard, click Next, select the file that you exported in step 17, click Next, Next, and Finish. The server's public key should now be installed on the client.

    ImportServerCert1.jpg

Section 5: Certificate Review

We have now accomplished the following:

  • Created a Certificate Authority on the server machine
  • Trusted the Certificate Authority on the clinet machine
  • Created a client certificate on the client machine
  • Installed the client certificate's public key on the server machine
  • Created a server certificate on the server machine
  • Installed the server certificate's public key on the client machine

Section 6: WCF Service Configuration Changes

The following is the WCF service's web.config file:

ServerConfig.jpg

  1. Message security via certificates has been enabled on the custom binding.
  2. The client certificate requirements have been defined on the custom behavior. The ChainTrust value specifies that the certificate chain must be validated. The revocationMode is set to NoCheck. It is recommended that this value be set to Online in a production environment so that revoked certificates are not allowed. This requires that you have a properly configured revocation server. This is outside of the scope of this article, but the following page will point you in the right direction:

    Specify certificate revocation list distribution points in issued certificates

  3. The Location of the server certificate has been specified on the custom behavior. Note that you may want to use a more specific search method than FindBySubjectName since you may have multiple certificates with the same subject. FindByThumbprint should be sufficient for locating a unique certificate.

Section 7: WCF Client Configuration Changes

The following is the WCF client's app.config file:

ClientConfig.jpg

  1. The client is communicating with a server called myserver, but the server is identifying itself as My Server Machine (as defined in the certificate). As a workaround, we have set the dns value to My Server Machine. This is not necessary if the certificate matches the host name.
  2. The Location of the client certificate has been specified on the custom behavior.
  3. The server certificate authentication options have been defined on the custom behavior.
  4. Message security via certificates has been enabled on the custom binding.

Your client should now be able to securely communicate with the service.

Conclusion

As you can see, using WCF with certificates can be a tedious process, but there are certain scenarios that warrant this level of security. I hope this article helps you avoid some of the common pitfalls associated with this security solution.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

 Jason Hodges
Software Developer Auctane LLC
United States United States
Member
Jason Hodges develops applications for eBay sellers that help improve their productivity. Jason has been developing Microsoft solutions since 1996 and has consulted with such organizations as Hewlett-Packard, Dell, eBay, and the State of Texas. He is a Microsoft Certified Solution Developer.

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
FirstPrevNext
GeneralThanks or this great tutorial.memberultraman6919 Mar '10 - 3:46 
Thanks a lot, you just save a great amount of searching time over the web. Great stuff, well documented. Good work !Thumbs Up | :thumbsup:
War does not make one great.
---------
Master Yoda
Sign In·View Thread·Permalink
QuestionWCF Certificate in windows server 2008memberrajeshkumar33316 Feb '10 - 18:47 
HI,
Please help me out for creating Certificate concept in 2008 server...
Same steps mentioned in the current article
 
Thanks In Advance,
 
Regards,
Rajesh.
Sign In·View Thread·Permalink
GeneralGreat Article!memberSandeep Aparajit27 May '09 - 4:17 
Thanks for such a detailed article on securing WCF services!
 
Sandeep Aparajit
Mark usefull posts as Helpful/Answers.
Home | Technical articles on C#, ASP.NET, Architecture and Security | Photography
Sign In·View Thread·Permalink
GeneralThanks for wonderful articlememberS.Karthik19 May '09 - 22:34 
Hi,
 
Thanks for your time. It really helped me to understand and configure X509 certificate for my WCF service.
 
Regards
Karthik
Sign In·View Thread·Permalink
GeneralGreat manual!memberdeffenberger29 Mar '09 - 3:26 
The best manual I found on the web.
I had no idea how to make it run with certificates, always something went wrong.
You saved me much time!
Thank you!
Sign In·View Thread·Permalink
GeneralThe configuration not working. Please help !memberAmvir18 Mar '09 - 5:41 
Hi Jason,
 
I have read through and followed every step mentioned in the Article. Unfortunately the configuration is not working for me and not sure what I have missed. I have come to a stage where I have tried all possible ways to make it work. Please find the stack trace of the error thrown,
 

////////// ////////// BEGIN OF STACK TRACE //////////////////////////
 
Secure channel cannot be opened because security negotiation with the remote endpoint has failed. This may be due to absent or incorrectly specified EndpointIdentity in the EndpointAddress used to create the channel. Please verify the EndpointIdentity specified or implied by the EndpointAddress correctly identifies the remote endpoint.
Server stack trace: at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityProtocol.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at notificationDeliveryPortType.notificationDelivery(notificationDeliveryRequset request) at notificationDeliveryPortTypeClient.notificationDelivery(notificationDeliveryRequset request) at Siemens.DMIPortal.ClientService.NotificationDeliveryService.CreateNotification() at UserControls_SecuredCommunicationWP.Page_Load(Object sender, EventArgs e)
 
////////// ////////// END OF STACK TRACE //////////////////////////
 
Please find my Client configuration below,
 
////////// ////////// BEGIN OF Client CONFIGURATION //////////////////////////
 

<!-- Below commented code is used to enable WCF logging -->





 
<!-- The below entries are added for secure communication-->




establishSecurityContext="true"/>


<!-- End of secure communication entries -->


<!-- The below entries are added for secure communication-->













<!-- End of secure communication entries -->


<!-- The below entry is used for securing communication-->

bindingConfiguration="notificationDeliveryBinding"
contract="notificationDeliveryPortType" name="notificationDeliveryPortType"
behaviorConfiguration="notificationDeliveryBehaviour">



<!-- End of Secure Communication entry-->



 
////////// ////////// END OF CLIENT CONFIGURATION //////////////////////////
 
Please find the Service Configuration
 
////////// ////////// BEGIN OF SERVICE CONFIGURATION //////////////////////////














name="Siemens.DMIPortal.notificationDeliveryHost.NotifyDeliveryHost">





name="Siemens.DMIPortal.NotificationDelivery.notificationDeliveryPortTypeClient">









<!-- The below entries are used to secure communication -->






storeName="My" />










////////// ////////// END OF SERVICE CONFIGURATION //////////////////////////
 


Kindly please guide me through resolving this issue. Any information needed please do let me know.
 
Cheers!
Amit.
Sign In·View Thread·Permalink
GeneralthanksmemberSimpson-zhang14 Jan '09 - 14:48 
it is what i need
Sign In·View Thread·Permalink
QuestionWhat if you are using an Enterprise CA and not 'Stand Alone'?????memberJohn535 Jan '09 - 9:35 
I already have one on my Domain Controller, but the screens are all different!
Sign In·View Thread·Permalink
QuestionThe request for security token has invalid or malformed elements.memberaleqkatien7 Dec '08 - 12:00 
Hope you can help me with this. I am fairly new to WCF and created a WCF service and a client, both working fine when on the same server and same website (win2003/iis6). Now I wanted to host WCF services on a separate machine. I created a test environment with two Win2003/IIS6 servers. One hosts WCF services, another one hosts the website that consumes those services. I set up x509 certificates as per this article
 
I ran into a bunch of errors which I resolved and now I am stuck on this error for few days already:
 
The request for security token has invalid or malformed elements.
 
Here's the client code:
 
            WCFCategories.CategoriesClient client = new WCFCategories.CategoriesClient();
            Textbox1.Text = client.GetCategoriesInXML(611);
 

Here are my service / client web.config files:
 
SERVICE
--------------------
<system.serviceModel>
 

      <services>
         <service behaviorConfiguration="customBehavior" name="Categories">
            <endpoint
               address="http://s.foo.com:8228/Services/Categories.svc"
               binding="wsHttpBinding"
               contract="ICategories"/>
            <endpoint
               address="mex"
               binding="mexHttpBinding"
               contract="IMetadataExchange"/>
         </service>
      </services>
 
      <bindings>
         <wsHttpBinding>
            <binding name="customWsHttpBinding">
               <security mode="Message">
                  <message clientCredentialType="Certificate"/>
               </security>
            </binding>
         </wsHttpBinding>
      </bindings>  
  
      <behaviors>
                  <serviceBehaviors>
                        <behavior name="customBehavior">
                              <serviceMetadata httpGetEnabled="true"/>
               <serviceDebug includeExceptionDetailInFaults="true"/>
                              <serviceCredentials>
                                    <clientCertificate>
                                          <authentication
                        certificateValidationMode="ChainTrust"
                        revocationMode="NoCheck"/>
                                    </clientCertificate>
                                    <serviceCertificate
                     findValue="My Server Machine"
                     x509FindType="FindBySubjectName"
                     storeLocation="LocalMachine"
                     storeName="My"/>
                              </serviceCredentials>
                        </behavior>
                  </serviceBehaviors>
            </behaviors>
 

      </system.serviceModel>
 
CLIENT
----------------------------
   <system.serviceModel>

      <client>
         <endpoint
            address="http://s.foo.com:8228/Services/Categories.svc"
            behaviorConfiguration="customBehavior"
            binding="wsHttpBinding"
            bindingConfiguration="customWsHttpBinding"
            contract="WCFCategories.ICategories"
            name="WSHttpBinding_ICategories">
            <identity>
               <dns value="My Server Machine"/>
            </identity>
         </endpoint>
      </client>
  
      <behaviors>
         <endpointBehaviors>
            <behavior name="customBehavior">
               <clientCredentials>
                  <clientCertificate
                     x509FindType="FindBySubjectName"
                     findValue="My Client Machine"
                     storeLocation="LocalMachine"
                     storeName="My"/>
                  <serviceCertificate>
                     <authentication
                        certificateValidationMode="ChainTrust"
                        revocationMode="NoCheck"/>
                  </serviceCertificate>
               </clientCredentials>
            </behavior>
         </endpointBehaviors>
      </behaviors>
  
      <bindings>
         <wsHttpBinding>
            <binding name="customWsHttpBinding">
               <security mode="Message">
                  <message clientCredentialType="Certificate"/>
               </security>
            </binding>
         </wsHttpBinding>
      </bindings>  
   </system.serviceModel>
Sign In·View Thread·Permalink
AnswerRe: The request for security token has invalid or malformed elements.memberjreddy10 Dec '08 - 6:31 
make sure the dns value, match the actual server name
 

may be it works.
Sign In·View Thread·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 23 May '13 - 18:38Refresh« Prev1234 Next »

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
An article that describes how to secure WCF services using X.509 certificates issued from a certificate authority.
Type Article
Licence CPOL
First Posted 30 Jul 2008
Views 135,691
Downloads 1,190
Bookmarked 183 times

, +
Top News

The Next Version of Android - Some of What's Coming

Get the Insider News free each morning.
Related Videos
Creating an XSLT Stylesheet
XSLT Elements
WCF FAQ: Part 3 – 10 security related FAQ
Seven simple steps to enable HTTPS on WCF WsHttp bindings
An easy way to use certificates for WCF security
Simple WCF - X509 Certificate
Use Mutual SSL Authentication in WCF
6 Steps to Implement DUAL Security on WCF using User name + SSL
Creating a WCF Service with MSMQ Communication and Certificate Security
WCF Service with custom username password authentication
SSL with Self-hosted WCF Service
Nine simple steps to enable X.509 certificates on WCF
WCF self hosted service over HTTPS
Difference between BasicHttpBinding and WsHttpBinding
WCF ClearUsernameBinding: Send username without SSL or x.509 certificates
Simple WCF - Cardspace
Using a Smart Card Certificate with .NET Security in C#
Common Problems while Consuming Web Services over SSL in .NET
What's the Difference between WCF and Web Services?
.NET 4.0 RESTful Web Service Introduction
WCF Service over HTTPS with custom username and password validator in IIS
Basics of Signing and Verifying code
Permalink | Advertise | Privacy | Mobile
Web03 | 2.6.130523.1 | Last Updated 30 Jul 2008
Article Copyright 2008 by Jason Hodges
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid