WCF service dns identity on client doesn't work

Question

Trying to communicate with some SOAP service via https. Service has a certificate. Everything works ok, if I install this certificate into local storage or write it's encoded content in config as

<certificate encodedValue="CCBF......"/>

But I don't want to have hard reference in client to service certificate data, due to it will expire soon and will be changed. I want accept service certificate by CN or someway like that.

According to MSDN client.endpoint.identity.dns value can be used in such case. So if dns.value==CN in service certificate, then connection should be OK.

But it doesn't.

When I open connection, I get an exception:

client.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
client.Open();

Additional information: The service certificate is not provided for target ' https://sss.myhost.com '. Specify a service certificate in ClientCredentials.

<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
    </startup>
    <system.serviceModel>
        <bindings>
          <customBinding>
         <binding>
                <security authenticationMode="MutualCertificate"
                          enableUnsecuredResponse="true"
                          messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                  <secureConversationBootstrap  />
                </security>
                <textMessageEncoding messageVersion="Soap11" />
                <httpsTransport />
              </binding>
          </customBinding>
        </bindings>
      <behaviors>
        <endpointBehaviors>
          <behavior>
            <clientCredentials>
              <clientCertificate findValue="Foo" storeName="My" storeLocation="CurrentUser" x509FindType="FindByIssuerName"/>
              <serviceCertificate>
                <!--<defaultCertificate storeLocation="LocalMachine" x509FindType="FindByIssuerName" storeName="Root" findValue="MyIssuerName"  />-->
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
        <client>
          <endpoint address="https://sss.myhost.com"
              binding="customBinding"
              contract="RS.InstanceManagerPortType" name="InstanceManagerPort">
            <identity>
              <!--<certificate encodedValue="CCBF......"/>-->
              <dns value="*.myhost.com"/>
            </identity>
          </endpoint>
        </client>
    </system.serviceModel>
</configuration>

Answer 1

I believe you'll have to implement your own certificate validation.

<behavior name="credentialConfiguration">
  <clientCredentials>
    <serviceCertificate>
      <authentication
        certificateValidationMode="Custom"
        customCertificateValidatorType="YOUR VALIDATOR"/>
    </serviceCertificate>
  </clientCredentials>
</behavior>

where YOUR VALIDATOR is assembly-qualified type name of a class that implements X509CertificateValidator . There you have full freedom of validating whatever you want - CN, thumbprint, etc.