How to consume a SOAP service over HTTPS in C#?

Question

Webservice administrator gave me WSDL, two certificates and a private key:

service.wsdl
ssl.cer
auth_cert.pem
auth_private_key.pem

In Visual Studio 2010 I added a Web Reference (Service Reference didn't work) from the WSDL. Then I tried to use it as it was an http soap client:

MySoapClient client = new MySoapClient();
client.Operation();

and I obtain this stack trace:

Unhandled Exception: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

What I have to do with certificates and private key?
I can't find any tutorial online nor books that covers this matter. Any hint?

Update

Accessing the endpoint with Firefox :

SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert)

Answer 1

Webservice administrator gave me WSDL, two certificates and a private key

If you only consume the service the private key is not required. I can guess you want 2-way authentication with https. If this is the case here is how it works:

On the server the admin should install the cert with a private key to enable SSL (the key is used during SSL handshake). Its public key is used by your client to check if the cert is valid and to authenticate the service, so on the client side you somehow need to check it. If both machines are in Windows domain this is easy (it can be configured to use domain Certification Authority). If not, you need all the certs that were used to sign the original server cert to be installed on the client machine (in Trusted Root CA storage).

The second part is client authentication to the server. You install the client cert (it contains public key) to Personal storage and configure WCF proxy to use it:

<behaviors>
    <endpointBehaviors>
        <behavior name="certSecureBehavior">
            <clientCredentials>
                <clientCertificate findValue="client-CN" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My"/>
                <serviceCertificate>
                    <defaultCertificate findValue="server-CN" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="TrustedPeople"/>
                </serviceCertificate>
            </clientCredentials>
        </behavior>
    </endpointBehaviors>
</behaviors>

Configure you endpoint to use this behavior. A few notes:

• client-CN is a name the client cert is generated for (not so important)
• server-CN is a name the server cert is generated for (usually the server DNS name)

This is very complex topic and always require lot of time to research. Check this article http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspx Hope this help.

Answer 2

The admin seems to have given you the files used to setup SSL on the server. You should be be able to run service.wsdl through WSDL.exe to generate a C# proxy, which is what VS does when you add a Web Reference. I don't think this is your problem though. You are seeing a network level issue since the exception is a System.Net.WebException.

The other files look like they are what the admin was using to add SSL to the server. By sharing the private key he may have compromised the security if any SSL-enabled services using this key. You should look for any service end points in the WSDL and try to access those in your browser over SSL (https://). If you cannot then there is a server configuration issue. Correct the SSL configuration on the server and your WSDL should work, or at least you''ll have a new issue.