I have a WCF .NET 3.0 self-hosted service and client. Both client and
server are on the same system.
My service opens a secure endpoint and is configured to demand a
client-side certificate:
BasicHttpBindin g binding = new BasicHttpBindin g();
binding.Securit y.Mode = BasicHttpSecuri tyMode.Transpor t;
binding.Securit y.Transport.Cli entCredentialTy pe =
HttpClientCrede ntialType.Certi ficate;
Some client certificates are working, but some are not. I've checked
everything I can think of within the certificates - expiration date,
the CAs in trusted root, etc. and they all look fine.
I've turned on every bit of WCF tracing that I can find. The Service
Trace Viewer (on the server) tells me that the "Client certificate is
invalid" but offers no additional information.
How can I figure out the specific reason why the certificate is
invalid?
3  3163 
On Oct 3, 11:41*am, mzarlenga <mzarle...@gmai l.comwrote:
I have a WCF .NET 3.0 self-hosted service and client. Both client and
server are on the same system.
My service opens a secure endpoint and is configured to demand a
client-side certificate:
BasicHttpBindin g binding = new BasicHttpBindin g();
binding.Securit y.Mode = BasicHttpSecuri tyMode.Transpor t;
binding.Securit y.Transport.Cli entCredentialTy pe =
HttpClientCrede ntialType.Certi ficate;
Some client certificates are working, but some are not. I've checked
everything I can think of within the certificates - expiration date,
the CAs in trusted root, etc. and they all look fine.
I've turned on every bit of WCF tracing that I can find. The Service
Trace Viewer (on the server) tells me that the "Client certificate is
invalid" but offers no additional information.
How can I figure out the specific reason why the certificate is
invalid?
Perhaps you do not have private keys for some of the client
certificates. Or the private keys are not ACL'd for the user using it.
//David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang
//
On Oct 5, 3:03*am, David Wang <w3.4...@gmail. comwrote:
How can I figure out the specific reason why the certificate is
invalid?
Perhaps you do not have private keys for some of the client
certificates. Or the private keys are not ACL'd for the user using it.
Hi David, thanks for the response. I double checked; all the
certificates have private keys. How do I check if the keys are
"ACL'd?" (I'm using the Certificates snap-in within mmc to view the
certificates)
Here's an interesting twist ... all the certificates show:
This certificate is intended to the following purpose(s)
- Ensures the identity of a remote computer
- Proves your identity to a remote computer
And all of the certificates work as server-side certificates, yet some
do not work as client-side certificates. The ones that do not work
were issued by a Windows Server 2008 Certificate Authority.
TLS is a bit picky about what certificates are permitted to act as a client.
There are two Netscape extensions that tell the receiver what the client
certificate is permitted to do:
SSL Client
SSL Server
Your client certificate must include the SSL Client to be accepted by the
server. Note this is also the case if a server became a client to another
server - both extensions must appear in the certificate.
You can easily create some suitable certificates using something like XCA if
the Windows Server 2008 CA is being a pain. Although I've never used Windows
Server 2008 CA, I bet there are options for setting the X509v3 extensions
(including Netscape). If you find and change these settings, make sure you
include the Subject Key Identifier extension and that you always use RSA!
HTH
Rowland
"mzarlenga" wrote:
On Oct 5, 3:03 am, David Wang <w3.4...@gmail. comwrote:
How can I figure out the specific reason why the certificate is
invalid?
Perhaps you do not have private keys for some of the client
certificates. Or the private keys are not ACL'd for the user using it.
Hi David, thanks for the response. I double checked; all the
certificates have private keys. How do I check if the keys are
"ACL'd?" (I'm using the Certificates snap-in within mmc to view the
certificates)
Here's an interesting twist ... all the certificates show:
This certificate is intended to the following purpose(s)
- Ensures the identity of a remote computer
- Proves your identity to a remote computer
And all of the certificates work as server-side certificates, yet some
do not work as client-side certificates. The ones that do not work
were issued by a Windows Server 2008 Certificate Authority.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Matt Frame |
last post by:
I am working on a special ASP.Net application that receives files from
customers. The connection is made via HTTPS and the client sends the file
as a POST to my ASP.Net listener. All of this works fine. Now I am looking
at how to validate the clients certificate programmatically. The client
application sends to me with something like:
....
Dim myHttp As HttpWebRequest =
CType(WebRequest.Create(https://myserver/Receive.aspx),...
|
by: Bob |
last post by:
I'm building a .NET web service which requires client certificate for strong
security. I set IIS to require SSL and client certificate (under site
properties in IIS admin, Directory Security tab, Secure Communication,
Edit... button. then check Require Secure Channel and Require Client
Certificates). Then in my client side code, I add my client certificate to
the property HttpWebClientProtocol.Certificates. However, I keep getting a...
|
by: Russ |
last post by:
I have set up a C# web application that runs on my test Web Server
(Windows 2003 Server, Web Edition). It in turn calls a web service
running on the internal network.
Now I want to issue a client certificate to each client connecting to
the web app, and use it to authenticate and identify the clients on
the web server (and use the SSL for secure encrypted exchanges).
There is no issue requiring SSL between the web server and the back...
|
by: dinoo |
last post by:
I would appreciate if some one answers these queries.
Thanks in advance.
If My web server is SSL enabled, then why should I havea client certificate authentication? what extra security it provides? Can I use client certificate without having SSL connection?
How do I get the Client Certificate? Is it necessary to be issued from the same webservice server i want to use? Or I can get it from any CA e.g verisign?
Is it possible to get free...
|
by: |
last post by:
Hi all,
HttpWebRequest, and SoapHttpClientProtocol both expose a
ClientCertificates property, which can hold multiple client certificates,
but on the service side, it can only receive one client certificate, since
it derives System.Web.Services.WebService class, and it's
Context.Request.ClientCertificate is a single HttpClientCertificate object,
is there a way to receive all the client certificates that is sent in the
request? or does IIS...
| | |
by: Andrew |
last post by:
A clickonce deploy fails when both SSL is enabled and "require client
certificate" enabled on the deploy server.
The deployment seems to fail only because the client would normally require
a prompt that their certificate is being accessed (a function of the security
setting on the issue of the certificate)
While it is logical for the deployment to fail for other warning prompts
(such as SSL server certificate name not matching or...
|
by: jwillams77 |
last post by:
I have searched extensively though Google and Experts Exchange and have not quite found the answer to this problem.
Here is the scenario:
I have a .NET 2.0 c# web service that is installed under a path on our server that requires a client certificate to reach both the service and the website that will use the service. The website however is in classic ASP, so I am having to use MSSOAP 3.0 to call the service from the ASP page. Here is...
|
by: steveS |
last post by:
Hi all,
I'm having trouble connecting to a Java web service using HttpWebRequest. I
get the error message "The request was aborted: Could not create SSL/TLS
secure channel". The Java service requires a client certificate which they
have provided in .cer format. I can connect ok to their test service which
uses SSL but doesnt require a client certificate with the code below.
I dont have great deal of knowledge about client certificates...
|
by: Sinex |
last post by:
Hi,
Am developing a web service that is gonna be consumed by a client over
https. I'm using certificates to get the mutual authentication in place. On
the server side, I want my service to be able to extract some fields from
the client's certificate. I tested the service using the browser and it
works fine...proving that the client IS sending its certificate and is
getting authenticated at IIS level.
In the web method, I'm trying to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
