Client certificate is invalid

M

mzarlenga

I have a WCF .NET 3.0 self-hosted service and client. Both client and
server are on the same system.

My service opens a secure endpoint and is configured to demand a
client-side certificate:

BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;


Some client certificates are working, but some are not. I've checked
everything I can think of within the certificates - expiration date,
the CAs in trusted root, etc. and they all look fine.

I've turned on every bit of WCF tracing that I can find. The Service
Trace Viewer (on the server) tells me that the "Client certificate is
invalid" but offers no additional information.

How can I figure out the specific reason why the certificate is
invalid?
 
D

David Wang

I have a WCF .NET 3.0 self-hosted service and client. Both client and
server are on the same system.

My service opens a secure endpoint and is configured to demand a
client-side certificate:

BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Certificate;

Some client certificates are working, but some are not. I've checked
everything I can think of within the certificates - expiration date,
the CAs in trusted root, etc. and they all look fine.

I've turned on every bit of WCF tracing that I can find. The Service
Trace Viewer (on the server) tells me that the "Client certificate is
invalid" but offers no additional information.

How can I figure out the specific reason why the certificate is
invalid?


Perhaps you do not have private keys for some of the client
certificates. Or the private keys are not ACL'd for the user using it.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
 
M

mzarlenga

Perhaps you do not have private keys for some of the client
certificates. Or the private keys are not ACL'd for the user using it.

Hi David, thanks for the response. I double checked; all the
certificates have private keys. How do I check if the keys are
"ACL'd?" (I'm using the Certificates snap-in within mmc to view the
certificates)

Here's an interesting twist ... all the certificates show:

This certificate is intended to the following purpose(s)
- Ensures the identity of a remote computer
- Proves your identity to a remote computer

And all of the certificates work as server-side certificates, yet some
do not work as client-side certificates. The ones that do not work
were issued by a Windows Server 2008 Certificate Authority.
 
R

Rowland Watkins

TLS is a bit picky about what certificates are permitted to act as a client.

There are two Netscape extensions that tell the receiver what the client
certificate is permitted to do:

SSL Client
SSL Server

Your client certificate must include the SSL Client to be accepted by the
server. Note this is also the case if a server became a client to another
server - both extensions must appear in the certificate.

You can easily create some suitable certificates using something like XCA if
the Windows Server 2008 CA is being a pain. Although I've never used Windows
Server 2008 CA, I bet there are options for setting the X509v3 extensions
(including Netscape). If you find and change these settings, make sure you
include the Subject Key Identifier extension and that you always use RSA!

HTH

Rowland
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top