Generating WCF proxy against untrusted SSL endpoint

Question

I need to generate a WCF proxy for a service exposed by our client. The service is locked down pretty tightly, so this is proving difficult. Also, I'm new to WCF, so I may be missing something obvious...

The client has only opened up their firewall to our production server - so I can't generate the proxy from Visual Studio on my dev machine. Also, the service is only exposed over HTTPS. And it requires us to authenticate using a client certificate...

I was hoping to run svcutil on the production box to generate the .cs files, and then copy the files locally. But svcutil refuses to run because the client is using a self-signed certificate. It gives me the following error:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.

I tried adding the service's certificate as a trusted root certificate, but that doesn't work. In the certificates MMC snap-in, I get "Windows does not have enough information to verify the certificate".

Is there some way to bypass the security check that svcutil is performing?

I can browse to the WSDL successfully from IE, when I'm remoted in to the production server. I just have to click "continue to this website (not recommended)". I also have to select the installed client cert, which works fine. I can then download the WSDL and XSD files manually through IE. So another alternative might be to generate the WCF proxy from local copies of the WSDL and XSD, instead of running svcutil against the live service. But I don't know how to do that properly.

I tried putting the static WSDL and XSD files up on another website that we host, and changing the <xs:import schemaLocation="..."/> attributes to point to the new site. But when I ran svcutil against this site, I got a bunch of errors about duplicate type declarations - e.g.:

Error: There was a validation error on a schema generated during export: Source: Line: 1 Column: 1415 Validation Error: The complexType 'http://[domain-name]/Promotions/2009-02-17:InsertReferralPromo_Response' has already been declared.

Am I missing some obvious way to do this? Or should we just demand that the client loosen up their security? :)

Thanks for any help you can give me...
Richard

Answer 1

Your problem doesn't seem to have anything to do with security. There seems to be a problem with the WSDL and schemas that you downloaded.

One suggestion would be to put all the files in a directory on disk instead of on a web site. If necessary, remove the schemaLocation attributes.

However, it doesn't seem like that would help. You might try validating these files with XMLSpy.