Last post Aug 16, 2013 05:50 AM by sukumarraju
Aug 12, 2013 09:07 PM|dmurphy7299|LINK
We are getting the error "could not establish secure channel for ssl/tls with authority client certificate".
We are trying to access a 3rd party web service using a web service reference based off of a wsdl.
It needs to pass a client certificate for authentication.
The machine can pass the proper client cert to the 3rd party service via a browser and is successful.
We have tried so many things. Certificates have been installed in both the machine and user stores.
The code can find the client cert and load it.
we set the client credentials using this line of code once we get the x509 cert from the store.
client.ClientCredentials.ClientCertificate.Certificate = cert;
Once we call a method on the service, we get the ssl/tls error.
One developer on our team ran it locally on his machine and it worked.
It does not work on my machine.
When we put the build on the web server with IIS7/Win 2008, we run into the same error.
we are out of ideas.
The biggest question I have is trying to figure out what causes it as it's such a generic error.
If something is not trusted in the chain, how do you figure out which one?
The certificate is in the store and it shows as a status of okay when I look at it via MMC.
Update: we got it to run on my local machine after setting this setting in the web.config.
Still does not run on the web server.
to get it to avoid the ssl error locally on my dev machine, had to set this requireClientCertificate setting on the httpsTransport tag in our customBinding.
Aug 15, 2013 07:19 AM|sukumarraju|LINK
Certificate needs to be added to the store on the web server or your machine i.e., from the machine that is sending request to the thrid party web service.
WCF Client Authentication using X509 certificates on SSL **Check the IIS configuration**
How to make certificates accessible to WCF
Let us know further queries.
Aug 15, 2013 05:28 PM|dmurphy7299|LINK
Thank you. Those 2 links are very helpful and spot on.
We got it working and there were a couple of issues that caused it that might help the next person.
1) Our web service is running in IIS7 under an account specified in the app pool. we thought we added the permissions to the client certificate in the store but the cmd line utility winhttpcertcfg.exe wasn't clear to us. Once the syntax is correct, it will
display a pretty blank response insted of the help text. we thought that was successful. that's not enough. When it does find the cert and assigns the permission, it will acutally confirm that with a message that indicates it in fact applied the permission.
2) We could not get the x509 code to find the cert in the "current user" store once we promoted the code to the web server. we moved the client cert to the local machine store and assigned permissions there and it worked. not 100% sure why. might be pilot
error. this code works for us.
X509Store store = new X509Store(StoreLocation.LocalMachine);
collection = store.Certificates.Find(X509FindType.FindBySubjectName, "CertName??", false);
3) We have a custom binding in the web.config. To make the wcf client pass the client certificate with the request, this requireClientCertificate flag had to be set in web.config.
<httpsTransport requireClientCertificate="true" ...
Aug 16, 2013 05:50 AM|sukumarraju|LINK
not 100% sure why.
Robbin's blog contains best articles
*More on the same blog