Vista - WCF Transport Security with Certificates

I am trying to get a simple example working with a server certificate. I am
using the calculator example you see scattered all through the WCF
documentation. What I need to do is to secure this with a server side
certificate over SSL so that the client can verify that they are talking to
the correct service, there are no restrictions as to who can access the
services. This is a prototype of something real I want to do later.

I understand that the SSL stuff is not done so much by the WCF and that it
is done within windows by using HTTPCFG to associate a cert with a port.

First I created a self signed cert with makecert ( and added the private key
to it with cert2spc and pvk2pfx ) imported that into the trusted root
authority and personal sections of the localmachine keystore with mmc. The
certificate in the store says that it is ok and has a private key available.
So I think this is ok.
The make cert call was

C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin>MakeCert.Exe -r
-n "CN=MyHost" -eku 1.3.6.1.5.5.7.3.1 -sv c:\certs\selfcert.pvk
c:\certs\selfcert.cer
Succeeded

I then created the calculator app, ran it without transport security
switched on and all was ok.

I then altered the app.config file to the following

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<behaviors />
<bindings>
<wsHttpBinding>
<binding name="NewBinding0">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="CalculatorService.Calulator">
<endpoint address="https://localhost:8082"
binding="wsHttpBinding"
bindingConfiguration="NewBinding0"
contract="CalculatorService.ICalculator" />
<host>
<baseAddresses>
<add baseAddress="https://localhost:8082" />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
</configuration>

I then ran httpcfg on the port :-
httpcfg.exe set ssl -i 0.0.0.0:8082 -h
3a320af3e25ee41c53d3b34f50471093a6305925
where the hash is the sha1 thumbprint of the certificate.

I ran up the application which prints out its bindings (I've shown the
output below)

D:\VSProjects\WCFTester\CalculatorHost\bin\Debug>CalculatorHost.exe
Calulator is running with the following WCF endpoints/listeners...

Endpoints
*********
Endpoint:
name: WSHttpBinding_ICalculator
address: https://localhost:8082/
binding: WSHttpBinding
contract: ICalculator

Listeners
*********
Listener: https://localhost:8082/
Listener: https://localhost:8082/

The Service is now ready
Press <ENTER> to terminate

Everything seems to run ok

I then attempt to connect to the service with IE using the address
https://localhost:8082/ and I get a more or less instant failure to connect
which I guess means that some sort of handshake is taking part, but I am
unable to see why. The are no events logged in the event log and I can find
no other diags in the system. I can supply the certificate file to anyone if
they need it.

Thanks for any help

Further to my last, it appears it is something to do with the certificate
rather than anything else. I happened to have a certificate for VMWare that
was also on the same machine. I thought I would try using that one instead of
the self generated one.

I altered the Http.sys config with httpcfg to pick up the other cert and
tryed again. This time I got a response from IE that the cert was invalid as
it was not signed by a recognizable authority, not surprising really as this
is also a self signed cert. I copied this to the trusted root store and tried
again and everything works fine. I examines the cert in detail and the only
thing I can see is that the cert is usable for all purposes not just Service
Authentication and that the issued to value in the cert is the Machine name.

This is fine on my machine but the testing server does not have VMWare on it
so it won't have a cert there. Any ideas what might be wrong with the cert I
generated.
Thanks

The steps I took to get HTTPS working under IIS are below. I have not tried
HTTPS with a self-hosted service. I created two certificates. The first is
my CA root certificate that I use to create the certificate used by IIS for
SSL. The CA root certificate goes in Trusted Root CA and the second
certificate goes in the 'LocalMachine My' container. The certificate used
for SSL needs to have a CN=%machineName% where %machinename% matches the
machine name used in your URL. In your case 'localhost'. If you decide to
access the service from another machine you will need to create a new
certificate with the actual machine name.

1) Create a self signed root authority certificate with a key type of
'exchange' using makecert.exe.

Refer to http://msdn2.microsoft.com/en-gb/library/ms733813.aspx "How to:
Create Temporary Certificates for Use During Development". Note: the
following command line differs from the one given in the "How to:..."

makecert -n "CN=%name%" -r -sv %name%.pvk %name%.cer -sky exchange

In this example, replace %name% with a name for the certificate authority
(ex. MyLocalCA). Makecert will prompt you several times for passwords.
Choose something you will remember. The command will output two files (ex.
MyLocalCa.pvk and MyLocalCA.cer

2) Install this certificate into the Trusted Root Certification Authorites
Store.

You can do this via the IE Internet Options Content tab; via MMC
Certificates snap-in; or via certMgr.exe utiltity. Instructions for IE and
MMC are at http://msdn2.microsoft.com/en-gb/library/ms788967.aspx "How to:
View Certificates with the MMC Snap-in".

CertMgr.exe can be run with or without any command-line parameters. If no
parameters are specified then CertMgr runs in GUI mode otherwise, certMgr
will run as a console application. The command line to add to the trusted
root store is:

certmgr -add %name%.cer -s -r localmachine root

3) Generate the certificate to use with IIS for SSL.

The certificate used by IIS to allow HTTPS connections is generated using
the root authority certificate generated in step 1. In the same directory
that the .pvk and .cer files were created, run makeCert with the following
command-line parameters:

makeCert -sky exchange -sk %machine% -iv %name%.pvk -n "CN=%machine%" -ic
%name%.cer %machine%.cer -sr localmachine -ss My

%name% should be the name used in step 1. %machine% should be the machine
name used in the URL. The command will add the certificate to the local
machine 'My' certificate store. You can verify that this was successful by
viewing the certificate from MMC. The 'My' store corresponds to the
'Personal\Certificates' folder in MMC. MakeCert will also generate a
certificate file %machine%.cer.

4) Install the certificate in IIS

The certificate generated in step 3 needs to be installed in IIS via the IIS
management console. Open the console and select the destination web site (XP
only allows 1 web site; server 2003 can have multiple). Open the properties
window and select the directory security tab. Select 'Server Certificates'
button. Click 'Next' on the wizard dialog and select 'Assign an existing
certificate'. The next wizard page should show the certificate created in
step 3. Select the certificate and finish wizard.


"Terry Bailey" <brynn@nospam.nospam> wrote in message
news:FC9C79C3-24E2-40AD-883A-04EFDB18B5EA@microsoft.com...
> Further to my last, it appears it is something to do with the certificate
> rather than anything else. I happened to have a certificate for VMWare
> that
> was also on the same machine. I thought I would try using that one instead
> of
> the self generated one.
>
> I altered the Http.sys config with httpcfg to pick up the other cert and
> tryed again. This time I got a response from IE that the cert was invalid
> as
> it was not signed by a recognizable authority, not surprising really as
> this
> is also a self signed cert. I copied this to the trusted root store and
> tried
> again and everything works fine. I examines the cert in detail and the
> only
> thing I can see is that the cert is usable for all purposes not just
> Service
> Authentication and that the issued to value in the cert is the Machine
> name.
>
> This is fine on my machine but the testing server does not have VMWare on
> it
> so it won't have a cert there. Any ideas what might be wrong with the cert
> I
> generated.
> Thanks