One of the developers in my company faced a problem in consuming a 3rd party web service from her ASP.net web application. The web service is hosted in a secure channel. The vendor provided a self-signed SSL certificate. I would like to share how to configure our WCF client to connect to the 3rd party web service via HTTPS with the provided self-signed SSL certificate.
First, we need to import the provided cert into the local machine.
Then, go to your Visual Studio, add a web service reference to your project first with the provided WSDL by the vendor. Then, you will be warned that the site's cert is not issued by a company that you have not chosen to trust. This is a normal warning when the vendor does not use a cert which provided by a Certificate Authority.
After adding the service reference, the configuration file will be added with binding configuration automatically.
Ensure the binding security mode is Transport, then client credential type is Certificate.
Then, create a binding behavior that locate your certificate.
There are a few ways to locate your certificate. I chose to find by thumbprint. How to locate the certificate thumb print? Go back to the Management Console and then double click the imported certificate. Go to the details tab, scroll down and locate the thumbprint field.
Copy and paste the thumbprint to your configuration file, and then remove all the spaces.
If you wish to find certificate by issuer name, you can refer to the value in the Issued By in the General tab. And then, set findValue="CN=<issuer name>".
Finally, set the endpoint behavior configuration.
When you do a test run, you may encounter some common errors.
Error 1: Could not establish trust relationship for the SSL/TLS secure channel with authority
Root Cause: Due to self-signed certificate, the client cannot validate the certificate.
Resolution: Disable client SSL certificate authentication with the following endpoint behavior configuration.
Error 2: Cannot FindByThumbprint - Invalid Hexadecimal String Format
Root Cause: Cannot locate the certificate. Either the certificate thumbprint is invalid, or the certificate was imported into different user store.
Resolution: If you run your web application by using Visual Studio Development Server, the hosting service is running under your current login account. You need to import the cert to your current user and set the correct certificate store in your config file. When you deploy your application to IIS, you need to make sure the IIS service account is imported with the correct cert.
First, we need to import the provided cert into the local machine.
- Open Management Console (mmc.exe)
- Click File menu, then click at Add or Remove Snap-ins.
- Select Certificates from the list box then click the Add button.
- Select Computer Account then click Next button.
- Select Local Computer then click Finish button.
- Collapse the Certificates tree view, right click the Personal folder, then select All Tasks, then click at Import...
- Select Local Machine, then click Next button.
- Click the Browse button and locate the certificate which provided by the vendor.
- Place the certificate to the Personal Certificate Store, then click the Next button.
- Finally, click the Finish button.
Then, go to your Visual Studio, add a web service reference to your project first with the provided WSDL by the vendor. Then, you will be warned that the site's cert is not issued by a company that you have not chosen to trust. This is a normal warning when the vendor does not use a cert which provided by a Certificate Authority.
After adding the service reference, the configuration file will be added with binding configuration automatically.
Ensure the binding security mode is Transport, then client credential type is Certificate.
<bindings>
<basicHttpBinding>
<binding name="<Binding Name>">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
Then, create a binding behavior that locate your certificate.
<behaviors>
<endpointBehaviors>
<behavior name="CertificateBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine"
storeName="My"
findValue="bc74ca0d37510e5e87773707b60cd0490653662f"
x509FindType="FindByThumbprint" />
<serviceCertificate>
<sslCertificateAuthentication certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
There are a few ways to locate your certificate. I chose to find by thumbprint. How to locate the certificate thumb print? Go back to the Management Console and then double click the imported certificate. Go to the details tab, scroll down and locate the thumbprint field.
Copy and paste the thumbprint to your configuration file, and then remove all the spaces.
If you wish to find certificate by issuer name, you can refer to the value in the Issued By in the General tab. And then, set findValue="CN=<issuer name>".
Finally, set the endpoint behavior configuration.
<endpoint address="https://<webservice url>"
binding="basicHttpBinding" bindingConfiguration="<binding name>"
contract="<contract name>" name="<endpoint name>"
behaviorConfiguration="CertificateBehavior" />
When you do a test run, you may encounter some common errors.
Error 1: Could not establish trust relationship for the SSL/TLS secure channel with authority
Root Cause: Due to self-signed certificate, the client cannot validate the certificate.
Resolution: Disable client SSL certificate authentication with the following endpoint behavior configuration.
<serviceCertificate>
<sslCertificateAuthentication certificateValidationMode="None"/>
</serviceCertificate>
Error 2: Cannot FindByThumbprint - Invalid Hexadecimal String Format
Root Cause: Cannot locate the certificate. Either the certificate thumbprint is invalid, or the certificate was imported into different user store.
Resolution: If you run your web application by using Visual Studio Development Server, the hosting service is running under your current login account. You need to import the cert to your current user and set the correct certificate store in your config file. When you deploy your application to IIS, you need to make sure the IIS service account is imported with the correct cert.
No comments:
Post a Comment