How do I setup SSL over WCF?

Question

The error I'm receiving in production environment:

The remote certificate is invalid according to the validation procedure.
[AuthenticationException: The remote certificate is invalid according to the validation procedure.] System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception) +2755308
System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) +470

The production environment is using a three tier architecture, Web talks to App and App talks to database. Web and App use WCF service layer to communicate over SSL (443). We believe it might be configuration in either SSL certificate in IIS7 or a WCF configuration issue.

What we tried: I added the certificate in in both App and Web to the Trusted Authority for both "Local Computer" and "Current User".

I can add my WCF Web Config if need be.

I tried the following recommendations:

https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename(v=vs.110).aspx

https://msdn.microsoft.com/en-us/library/ms734695.aspx

"The remote certificate is invalid according to the validation procedure." using Gmail SMTP server

How do I know what the storeName of a certificate?

https://msdn.microsoft.com/en-us/library/ms733813(v=vs.110).aspx

https://msdn.microsoft.com/en-us/library/hh556232%28v=vs.110%29.aspx

Self-Hosted WCF Service with Mutual SSL (between Service and Client) fails with 403 Forbidden

Answer 1

This answer is for Client certificates where you are sending a Certificate with your payload to an HTTPS end point.

You'll want to make sure that you trust the certificate, that you trust the certificate authority that created it, and that you have that CA's certificate in your trusted store.

Are you able to go to a simple webpage on your system (not WCF service) where you need to provide the certificate? ie: https://mysite/test.aspx This will allow you to test certificates outside of WCF and let you separate WCF issues from IIS issues.

1) Make sure you've setup Certificate mapping in IIS. http://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication http://blogs.msdn.com/b/asiatech/archive/2014/02/13/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7.aspx

Short tl;dr; for what we do:

• Add your client cert to your cert store (private key)
• Add a user to the local users
• go to IIS and map the certificate to the user you create
• run winhttpcfg.exe to give your App Pool's user access to that certificate

https://msdn.microsoft.com/en-us/library/windows/desktop/aa384088%28v=vs.85%29.aspx

2) Make sure your web.config is setup properly (sample from ours that allow the end point to be hit via HTTP and HTTPS)

<bindings>
   <basicHttpBinding>
     <!-- Secure Bindings -->
     <binding name="secureHttpBinding">
       <security mode="Transport">
         <transport clientCredentialType="Certificate" />
       </security>
      </binding>

      <binding name="httpBinding">
        <security mode="None" />
      </binding>
   </basicHttpBinding>
</bindings> 

<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehaviour">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>

<services>
         <!-- Person Revised Service-->
        <service name="Services.PRPA_AR101202" behaviorConfiguration="ServiceBehaviour">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="Services.IPRPA_AR101202"></endpoint>
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="httpBinding" contract="Services.IPRPA_AR101202" />
        </service>
</services>

Again, this answer is for client certificates with messages, if it's just regular HTTP you can ignore it