WCF SSL certificate validation error

Question

Trying to get the simple Hello World (via SSL) working but receiving a following error: The remote certificate is invalid according to the validation procedure.

The server App.config is:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <behaviors>
            <serviceBehaviors>
                <behavior name="mexBehavior">
                    <serviceMetadata httpGetEnabled="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <bindings>
            <wsHttpBinding>
                <binding name="SSLSecurity">
                    <security mode="Transport">
                        <transport clientCredentialType="None" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <services>
            <service behaviorConfiguration="mexBehavior" name="HelloServiceLibrary.HelloService">
                <clear />
                <endpoint address="ws" binding="wsHttpBinding" name="wsEndpoint"
                    contract="HelloServiceLibrary.IHelloService">
                    <identity>
                        <dns value="localhost" />
                    </identity>
                </endpoint>

                <endpoint address="https://localhost:443/hellossl" binding="wsHttpBinding" name="wssslEndpoint"
                    bindingConfiguration="SSLSecurity" contract="HelloServiceLibrary.IHelloService">
                  <identity>
                    <certificateReference x509FindType="FindByThumbprint" findValue="‎82a39faaeb18bf9585b334ca83264add3d5b26ee" />
                    <dns value="localhost" />
                  </identity>
                </endpoint>

                <endpoint address="mex" binding="mexHttpBinding" name="mexEndpoint"
                    contract="IMetadataExchange">
                    <identity>
                        <dns value="localhost" />
                    </identity>
                </endpoint>
                <host>
                    <baseAddresses>
                        <add baseAddress="http://localhost:8989/hello" />
                    </baseAddresses>
                </host>
            </service>
        </services>
    </system.serviceModel>
</configuration>

Please advice what am I doing wrong.

Update : the certificate is successfully deployed in Trusted Root Certification Authorities on local computer.

Answer 1

Add this to your WCF config and let me know the output.

 <system.diagnostics>
    <trace autoflush="true" />
        <sources>
            <source name="System.Net" maxdatasize="1024">
                <listeners>
                    <add name="MyTraceFile"/>
                </listeners>
            </source>
          <source name="System.Net.Sockets" maxdatasize="1024">
                <listeners>
                    <add name="MyTraceFile"/>
                </listeners>
            </source>  
       </sources>

        <sharedListeners>
            <add
              name="MyTraceFile"
              type="System.Diagnostics.TextWriterTraceListener"
              initializeData="System.Net.trace.log"
            />
        </sharedListeners>
        <switches>
            <add name="System.Net" value="Verbose" />
          <add name="System.Net.Sockets" value="Verbose" /> 
        </switches>
</system.diagnostics>

---

This is a stab in the dark.

Check to make sure you installed it to all users.

Open up MMC
Add Snap In (Certificates)
- Check Computer Account (Next)
- Choose your computer
Done

Now reinstall the cert to "Trusted Root Certification Authorities" and it will be trusted for all users.

Answer 2

Not sure if this may help you but I looked back at how I had my app.config set for a simple secure service I wrote a few weeks ago where I was using certs. Here are a few considerations you may need to make to properly config your config for the service:

<bindings>
    <wsHttpBinding>
        ...
        <security>
            <transport clientCredentialType="Certificate"  />
        </security>
    </wsHttpBinding>
</bindings>

Now in my config I have an endpoint behavior defined which provides metadata to tell the service what the client will be using for a cert on its side:

    <behaviors>
        <endpointBehaviors>
            <behavior name="ClientBehavior">
                        <clientCredentials>
                            <clientCertificate findValue="WcfClient" storeLocation="LocalMachine" storeName="My"
                 x509FindType="FindBySubjectName"/>
                            <serviceCertificate>
                                <authentication certificateValidationMode="PeerTrust" />
                            </serviceCertificate>
                        </clientCredentials>
                    </behavior>
        </endpointBehaviors>
    </behaviors>

Answer 3

If all you need is a secure link, ie encryption only, no client authentication, then you don't need to set any client credentials. This is all you should have to do:
1. configure IIS to use SSL
2. configure an HTTPS endpoint on your service
3. configure the client to use the above endpoint

That's it. If your certificate is invalid, you might have to do your custom certificate validation as described here: MSDN .

Good luck!