.NET Core ChannelFactory - Set a X509Certificate2 as Client Certificate

Question

I need to set a client certificate (as instance, not from windows certificate store) to my wcf channel, but I always get the Exception:

System.InvalidOperationException: "Object is read-only."

This is strange, because the these properties have a setter but if I assigned a X509Certificate2 is crashes.

Stacktrace

System.InvalidOperationException
  HResult=0x80131509
  Nachricht = Object is read-only.
  Quelle = System.Private.ServiceModel
  Stapelüberwachung:
   at System.ServiceModel.Security.X509CertificateRecipientClientCredential.ThrowIfImmutable()
   at System.ServiceModel.Security.X509CertificateRecipientClientCredential.set_DefaultCertificate(X509Certificate2 value)

Code

var binding = new BasicHttpsBinding();
var endpoint = new EndpointAddress(new Uri("https://myservice.com"));
var channelFactory = new ChannelFactory<MyService>(binding, endpoint);
var serviceClient = channelFactory.CreateChannel();
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

var token = GetToken(); // Just an method that reads a pfx from disk
channelFactory.Credentials.
    ServiceCertificate.DefaultCertificate = token.Certificate; // throws exception
channelFactory.Credentials.
    ClientCertificate.Certificate = token.Certificate; // throws exception too

Update 1

The method SetCertificate throws the same System.InvalidOperationException: "Object is read-only." exception.

using (X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser)) 
{
    store.Open(OpenFlags.ReadWrite);
    var x509Certificate2Collection = store.Certificates.Find(X509FindType.FindByThumbprint, token.Certificate.Thumbprint, false);
    if(x509Certificate2Collection.Count == 0)
        store.Add(token.Certificate);
}

channelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My,X509FindType.FindByThumbprint, token.Certificate.Thumbprint);

Update 2

The implementation of X509CertificateRecipientClientCredential.cs is interesting.

public X509Certificate2 DefaultCertificate
{
    get
    {
        return _defaultCertificate;
    }
    set
    {
        ThrowIfImmutable();
        _defaultCertificate = value;
    }
}

internal void MakeReadOnly()
{
    _isReadOnly = true;
    this.Authentication.MakeReadOnly();
    if (_sslCertificateAuthentication != null)
    {
        _sslCertificateAuthentication.MakeReadOnly();
    }
}

private void ThrowIfImmutable()
{
    if (_isReadOnly)
    {
        throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new InvalidOperationException(SR.Format(SR.ObjectIsReadOnly)));
    }
}

Something is calling internal void MakeReadOnly() and make so my life harder.

Answer 1

While reading the ClientCredentials.cs on github, I found the method MakeReadOnly().

The call of channelFactory.CreateChannel() makes the ClientCertificate instance read-only, so after change the order of the statements it works!

Working ClientCertificate Authentication with WCF:

var binding = new BasicHttpsBinding();
var endpoint = new EndpointAddress(new Uri("https://myservice.com"));
var channelFactory = new ChannelFactory<MyService>(binding, endpoint);
// Must set before CreateChannel()
channelFactory.Credentials.
    ClientCertificate.Certificate = token.Certificate;

var serviceClient = channelFactory.CreateChannel();
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;