Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WCF service using wildcard cert giving a DNS identity error

I have a WCF web service that is setup to use Message based security. The service is using a wildcard certificate for securing the message: *.domain.com

After renewing the SSL cert, the service now throws the following error:

"Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was '*.domain.com' but the remote endpoint provided DNS claim 'domain.com'. ..."

How do I fix this so the service still responds with *.domain.com as the DNS claim?

Unfortunately updating the client configs is not really an option to use the new DNS claim via the DNS identity property.

Thanks, Mark

like image 232
Mark Boltuc Avatar asked Mar 15 '11 17:03

Mark Boltuc


2 Answers

This is an bug in WCF. Visit the connect site and upvote if its a blocking issue. http://connect.microsoft.com/wcf/feedback/details/683178/wcf-x509-certificate-validation-only-checks-last-dnsname-in-subject-alternative-name

like image 129
Srinivasan R Avatar answered Nov 01 '22 13:11

Srinivasan R


Turns out the issue was with the SANs list on the Wild Card Cert. The order that the domains were listed were:

*.domain.com
domain.com

WCF was basically always resolving to the last item in the SANs list. I did stumble across a few articles where Office Communicator had a similar issue. I'm not sure if this is a WCF bug or not.

My solution was to ask the Certificate Authority to generate me a wildcard cert without the SANs attribute.

like image 28
Mark Boltuc Avatar answered Nov 01 '22 14:11

Mark Boltuc