WCF service self signed certificate invalid on localhost in iis - web-services

This is my first time creating a WCF service. I need to use HTTPS as I will be using MembershipBinding. The steps I have taken up to this point are:
Created a certificate authority using the makecert.exe application - from this I have created a server certificate and a client certificate.
Added the certificate authority to the Trusted Root Certification Authorities within Microsoft Management Console.
Added the client and server certificates to my personal certificates within Microsoft Management Console.
Created a https binding for the service in IIS using the server certificate.
Set the appropriate permissions for the app pool on the server certificate.
Defined the service certificate within the serviceBehaviours node in the web.config.
I am now testing the service using the WCF Test Client but I am getting the message:
Error: Cannot obtain Metadata from https://localhost:444/Service.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address. For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error URI: https://localhost:444/Service.svc Metadata contains a reference that cannot be resolved: 'https://localhost:444/Service.svc'. Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost:444'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.HTTP GET Error URI: https://localhost:444/Service.svc There was an error downloading 'https://localhost:444/Service.svc'. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
The error suggests that there is an issue trusting the certificate but I have trusted the certificate authority used to create it so I don't know how to resolve it. The service worked fine when I was using http.
Thanks in advance.

As your certificate is self-signed, you need to add a hack to your client call :
using (MyWCFServiceClient client = new MyWCFServiceClient())
{
#if DEBUG
ServicePointManager.ServerCertificateValidationCallback = TrustAllCertificatesCallback;
#endif
client.MyCall();
}
And the definition for TrustAllCertificatesCallback :
internal static bool TrustAllCertificatesCallback(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors)
{
bool isValid = true;
// TODO logic to check your self-signed certifiacte
return isValid;
}
The TrustAllCertificatesCallback callback should be deactivated on your production environement.

Related

Use SignalR-Client-Cpp with client certificate from windows cert store

I am trying to communicate via SignalR with a server which requires client authentication with a certificate. Hence, i receive the following error when trying to start the connection:
"connection could not be started due to: WinHttpSendRequest: 12044: A certificate is required to complete client authentication".
My program is in cpp, so i use the SignalR-Client-Cpp which is integrate to my project via vcpkg.
My implementation is similar to the example in readme.md, you can use it as a base for a sample code.
My client-certificate is stored in Windows certificate store. How can I establish the connection with this certificate?

SSL Certificate issue while accessing web service in Production

This isssue in an live environment. We communicate with a webservice in our .net application for a purpose. Most of the time the call is successfull but sometimes it fails with the below message.|
Any idea where the problem could be?
The remote certificate is invalid according to the validation procedure.#Level:Error
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.#Level:Error
---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

SSL Exception when WebService endpoint url has https

I am getting the below exception when I invoke a jax ws webservice from my application deployed in WebSphere Application Server 6.1
SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=yyy.com, OU=For Intranet Use Only, OU=Web Hosting, O=xx, L=xx, ST=xx, C=xx" was sent from target host:port "*:9445". The signer may need to be added to local trust store "F://../trust.p12" . The extended error message from the SSL handshake exception is: "No trusted certificate found".
The enpoint url has https.
With the same enpoint url I am able to get a response from SOAP UI(Tool) without any certificate configuration etc..
Could you help me on this ?
I finally was able to fix this small issue.The Server certificate needs to be added to the websphere appserver truststore.This can be done from the admin console of websphere by providing the server domain and port.

Requirements for Successful SSL Communication

I'm using thrift to write a C++ client which will call securely to the server (which is not written by me) written in java (code generated for both server and client using same thrift files). I'm a newbie in SSL communication. For the java server side, I imported the public key certificate of client to the server truststore (server-truststore.jks) to verify the client authenticity. I exported the public certificate from the server side keystore (server.jks) and used it in the client side to authenticate the server key certificate during the SSL handshake. If I list down what I did for the SSL communication:
Server Side (java):
exported the client's public key certificate to the server's truststore
Cleint Side (C++):
Loaded the server's public certificate which was exported from the server's keystore
separately loaded the client's public key and private key (This is because I can't directly use a java key store since the client is written in c++)
All the certificates used are self signed.
So far I have been unsuccessful and got the following error continuously:
SSL_connect: certificate verify failed
I have two questions:
Is the approach I used for SSL communication correct? If not, what is the correct one?
Any possible reasons for this error?
Thank you.
Check if you can verify the key invoking directly: openssl s_client -connect serverIP:Port .
If you can is problem of your code, and for that we will need more details about it.
If not... your are not using the cert. the server is sending you, or something is wrong with the certificate.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

I have a web service which calls make a soap request. While debugging in VS.NET 2008 the soap request is successful. However when I deploy it, I get the following error
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
This must be some sort of security setting I need to change, but I don't know what?
I have tried to deploy the code with:
System.Security.Cryptography.X509Certificates.X509Certificate cert = null;
cert = new System.Security.Cryptography.X509Certificates.X509Certificate();
cert.Import("c:\customerCertFile.cer");
objRequest.ClientCertificates.Add(cert);
//WebProxy iBproxy = new WebProxy("196.2.124.252",true);
WebProxy iBproxy = new WebProxy("192.1.1.1", true);
iBproxy.Credentials = new NetworkCredential("username", "password");
objRequest.Proxy = iBproxy;
No luck.
Thanks in advance!
If you are attempting to use SSL with your local IIS server you'll need to configure it with a self signed certificate using makecert or a similar tool.