Click here to Skip to main content
Click here to Skip to main content
Go to top

Nine simple steps to enable X.509 certificates on WCF

, 29 Aug 2012
Rate this:
Please Sign up or sign in to vote.
Nine simple steps to enable X.509 certificates on WCF.

Table of contents

Introduction and goal

In this article, we will discuss how we can enable certificates on a WCF service. WCF has two modes by which it transfers data: transport and message. This tutorial will concentrate on how we can enable certificates on the message mode of data transfer.

Nowadays I am distributing my 400 questions and answers ebook which covers major .NET related topics like WCF, WPF, WWF, AJAX, Core .NET, SQL Server, architecture, and a lot more. I am sure you will enjoy this ebook: http://www.questpond.com/SampleDotNetInterviewQuestionBook.zip. I have also been recording videos on .NET technologies, you can catch all the action here.

Beginner WCF FAQs

In case you are fresh to WCF, please refer the below two WCF FAQ articles:

  • WCF FAQ Part 1: This is a 20 question FAQ for beginners which explains the basic concepts of WCF like End Points, contracts, and bindings. It also discusses the various hosting methodologies of WCF services. The article finally talks about bindings and one way operations in WCF.
  • WCF FAQ Part 2: This FAQ covers 10 questions which talks about concepts like duplex contracts, hosting WCF on different protocols, MSMQ bindings, transaction isolation levels, and two way communication. The article also talks about two queues: volatile and dead letter queue.

Step 1: Create client and server certificates

Create two certificates, one for the server and the other for the client, using makecert.exe. You can get makecert.exe from the “C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin” folder. You can go to the DOS prompt and run the below command snippet:

makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WCfServer -sky exchange -pe
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WcfClient -sky exchange -pe

Below is a detailed explanation of the various attributes specified in makecert.exe.

Attribute Explanation

-sr

Specifies the Registry location of the certificate store. The SubjectCertStoreLocation argument must be either of the following:

  • currentUser: Specifies the registry location HKEY_CURRENT_USER.
  • localMachine: Specifies the registry location HKEY_LOCAL_MACHINE.

-ss

Specifies the name of the certificate store where the generated certificate is saved.

-a

Specifies the algorithm. Can be either MD5 or SHA1.

-n

Specifies a name for the certificate. This name must conform to the X.500 standard. The simplest method is to use the "CN=MyName" format. If the /n switch is not specified, the default name of the certificate is "Joe's Software Emporium".

-sky

Specifies the key type. Can be either exchange or signature.

-pe

This makes the key exportable.

Note: Makecert.exe is a free tool provided by Microsoft which helps to create X.509 certificates that are signed by a system test root key or by another specified key. This is a test certificate and not a real one and should not be used for production purposes. For production, buy proper certificates from Thawte, Verisign, GeoTrust, etc.

Currently, we have specified that we want to create the client key with the WcfClient name and server key with WCFServer. The certificates should be created for the current user and should be exportable.

Once you run the command, you should see the Succeeded message as shown in the below figure. The below figure shows keys created for both the server and client.

Step 2: Copy the certificates in trusted people certificates

Go to Start -> Run and type MMC and press Enter. You will be popped with the MMC console. Click on File -> Add/remove snap-in. You will be popped up with an Add/Remove snap-in, click on the Add button, select Certificates, and select ‘My user account’.

You can see the certificates created for the client and server in the personal certificates folder. We need to copy those certificates in the Trusted people -> Certificates folder.

Step 3: Specify the certification path and mode in the WCF service web.config file

Now that we have created both the certificates, we need to refer these certificates in our WCF project. We have created two projects: one that has the WCF service and the other a web application which will consume the WCF service.

Let’s open the web.config file of the WCF service and enter two important things:

  • Where the certificate is stored, location, and how the WCF application should find it. This is defined using the serviceCertificate tag as shown in the below snippet.
  • certificationvalidationmode defines how the client certificates will be authenticated.
Certification validation mode Description

Chain trust

In this situation, the client certificate is validated against the root certificate.

Peer trust

PeerTrust ensures that the public key portion of the certificate is in the Trusted People certificate folder on the client's computer

ChainORPeertrust

This is just an OR condition for both chain and peer.

The above two points are clubbed together and entered in the web.config file of the WCF service.

<serviceCredentials>
  <clientCertificate>
    <authentication certificateValidationMode="PeerTrust"/>
  </clientCertificate>
  <serviceCertificate findValue="WCfServer"
    storeLocation="CurrentUser"
    storeName="My"
    x509FindType="FindBySubjectName" />
</serviceCredentials>

Step 4: Define bindings

Now that we have defined our certificates and authentication type, we need to define that the authentication values will be sent through a message using certificates. You can see we have defined the WsHttpBinding with a message attribute specifying that the WCF client needs to send a certificate for validation.

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
      <security>
        <message clientCredentialType="Certificate" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

Step 5: Tie up the bindings with the endpoint

Once done, we need to tie up this binding with the end point. This is done by using the bindingConfiguration tag as shown in the below code snippet.

<endpoint address="" binding="wsHttpBinding" 
   bindingConfiguration="wsHttpEndpointBinding" contract="WCFServiceCertificate.IService1">

Step 6: Make your web application client for consuming the WCF service

That’s all we need from the WCF service perspective. Compile the WCF service and reference it in the ASP.NET web application using ‘Service reference’. Below is the code snippet where we have referenced the service and called the GetData function of the service.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using WebConsumer.ServiceReference1;
namespace WebConsumer
{
public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        Service1Client obj = new Service1Client();
        Response.Write(obj.GetData(12));
    }
}
}

Now if you try to run the client, i.e., the web application, as it is, you should get an error as shown below. The error clearly indicates you can not use the WCF service until you provide the client certificate.

Step 7: Define the certificates in the WCF client

Let's start the process of defining certificates in the WCF client. The way we have defined the authentication certification mode and the path of the certificate, the same way we need to define it for the WCF client. You can see we have defined the authentication mode as peertrust and we have specified the client certificate name as WcfClient.

<behaviors>
  <endpointBehaviors>
    <behavior name="CustomBehavior">
      <clientCredentials>
        <clientCertificate findValue="WcfClient" x509FindType="FindBySubjectName" 
          storeLocation="CurrentUser" storeName="My" />
        <serviceCertificate>
          <authentication certificateValidationMode="PeerTrust"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

Step 8: Tie up the behavior with the end point on the WCF client

We need to tie up the above defined behavior with the end point. You can see we have bound the behavior using the behaviorConfiguration property. We also need to specify that the DNS value will be WcfServer which is your server certificate name.

<client>
  <endpoint address="http://localhost:1387/Service1.svc" binding="wsHttpBinding"
      bindingConfiguration="WSHttpBinding_IService1" contract="ServiceReference1.IService1"
      name="WSHttpBinding_IService1" behaviorConfiguration="CustomBehavior">
    <identity>
      <dns value="WcfServer" />
    </identity>
  </endpoint>
</client>

Step 9: Enjoy your hard work

Once we are done, you can run the ASP.NET web app and you should see the below display.

Download code

You can download both the server and client code from here

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Shivprasad koirala
Architect http://www.questpond.com
India India

I am a Microsoft MVP for ASP/ASP.NET and currently a CEO of a small
E-learning company in India. We are very much active in making training videos ,
writing books and corporate trainings. Do visit my site for 
.NET, C# , design pattern , WCF , Silverlight
, LINQ , ASP.NET , ADO.NET , Sharepoint , UML , SQL Server  training 
and Interview questions and answers


Comments and Discussions

 
QuestionCryptographicException 'Keyset does not exist' Pinmembertrupicha31-Oct-13 10:40 
QuestionSecure Channel WCF Error Message Pinmembersharonde20-Sep-13 5:14 
QuestionExcellent Article [modified] Pinmemberjimshine9-Sep-13 4:06 
GeneralMy vote of 4 PinmemberHimanshu Thawait29-Aug-13 11:02 
Questionissue with certificate PinmemberMatteo Iacopini8-Jul-13 2:03 
GeneralMy Vote of 5 Pinmembervinothkuamr12-Jun-13 22:15 
GeneralMy vote of 5 Pinmembersakthivel_muthu26-May-13 0:11 
QuestionHelp need for caller was not authenticated by the service Pinmemberprabhatdeoria13-May-13 23:23 
QuestionThe caller was not authenticated by the service.. Pinmemberprabhatdeoria13-May-13 22:43 
GeneralRe: The caller was not authenticated by the service.. Pinmemberprabhatdeoria13-May-13 23:02 
AnswerRe: The caller was not authenticated by the service.. PinprofessionalRanjan.D1-Oct-13 10:47 
GeneralMy vote of 5 PinmemberEdo Tzumer20-Jan-13 23:07 
QuestionFor Win 8 - IIS 8 and Win Store Client Pinmemberursri17-Nov-12 2:24 
GeneralMy vote of 5 PinmvpKanasz Robert19-Sep-12 4:51 
GeneralMy vote of 5 PinmemberChristian Amado29-Aug-12 11:03 
GeneralMy vote of 5 PinmemberRahman Masudur29-Aug-12 4:55 
QuestionWrong Link PinmemberTeri Hughes1-Aug-12 6:31 
QuestionAlmost there PinmemberTeri Hughes26-Jun-12 4:57 
Question{"The request for security token could not be satisfied because authentication failed."} Pinmembersukesh.gudikandulla14-Jun-12 19:44 
AnswerRe: {"The request for security token could not be satisfied because authentication failed."} Pinmemberchrisndirangu28-Apr-14 11:17 
QuestionUseful Article PinmemberAlireza_13621-Jun-12 2:12 
QuestionError ! private key access rights PinmemberBlue Clouds24-Nov-11 10:24 
QuestionI can't get it to work on azure Pinmemberschnitty7-Sep-11 1:18 
BugGetting authentication [modified] PinmemberPradeep Babu Yadagani23-Aug-11 18:09 
GeneralOutstanding PinmemberMember 46916429-Jun-11 23:17 
GeneralNot Working in IIS Pinmemberaiwa nou13-Feb-11 18:01 
QuestionForum for article: 9 simple steps to enable X.509 certificates on WCF PinmemberMember 20794887-Jun-10 2:28 
GeneralInstalling certificate on client machine PinmemberMember 426218215-Feb-10 1:48 
GeneralRe: Installing certificate on client machine Pinmemberprabhatdeoria15-May-13 23:58 
GeneralNeed Help PinmemberMilton_win7-Jan-10 18:58 
Generalworking only with vswebserver not on the IIS. PinmemberRamanaKumar.akula26-Oct-09 21:12 
GeneralRe: working only with vswebserver not on the IIS. Pinmemberhanuman05036-Jun-10 18:33 
GeneralRe: working only with vswebserver not on the IIS. PinmemberHimanshu Thawait29-Aug-13 11:16 
GeneralThe caller was not authenticated by the service. Pinmemberamajid02686-Oct-09 16:23 
GeneralRe: The caller was not authenticated by the service. Pinmemberamajid02686-Oct-09 16:35 
GeneralRe: The caller was not authenticated by the service. Pinmemberdnanetwork3-Mar-11 20:11 
GeneralRe: The caller was not authenticated by the service. PinmemberTore Aurstad3-Jun-12 3:35 
GeneralRe: The caller was not authenticated by the service. Pinmemberprabhatdeoria13-May-13 22:45 
GeneralRe: The caller was not authenticated by the service. Pinmemberprabhatdeoria13-May-13 23:03 
QuestionCan't find certificate. Pinmemberlma3j1-Sep-09 11:17 
Generalabout X509 storeName Pinmemberyawn5319-Aug-09 22:32 
GeneralRe: about X509 storeName PinmemberPeter Derwa27-Aug-09 20:05 
GeneralRe: about X509 storeName Pinmemberyawn5330-Aug-09 17:29 
GeneralRe: about X509 storeName PinmemberKrishna Murty M16-Apr-10 11:32 
GeneralRe: about X509 storeName PinmemberJ0Ra7-Nov-10 4:36 
QuestionWorks only when I use the ASP.NET development server PinmemberJeffOstrosser17-Jul-09 9:19 
AnswerRe: Works only when I use the ASP.NET development server PinmemberKrishna Murty M16-Apr-10 11:33 
GeneralRe: Works only when I use the ASP.NET development server PinmemberHabeeballah Hasnoddin27-Oct-11 4:12 
GeneralGreat post, 1 problem PinmemberRuss Morlando27-May-09 0:27 
GeneralRe: Great post, 1 problem PinmemberShivprasad koirala27-May-09 0:45 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.140926.1 | Last Updated 29 Aug 2012
Article Copyright 2009 by Shivprasad koirala
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid