WCF Self signed certificate is not trusted on the client

wcf ssl iis-7 ssl-certificate self-signed
11,473

Solution 1

Are you sure that your self-signed certification is in the Trusted Root Certification Authorities certificate store on the client machine that will be accessing your WCF service? See the screenshot below of a self-signed certificate that is trusted by one of my Windows Vista machines.

Are you also sure that your certificate is a self-signed certificate. See screenshot at end of one of my self-signed certificates.

enter image description here

enter image description here

enter image description here

Updated information:

Check out this posting for information on how to use a utility called SelfSSL7 to create self-signed certificates that contain multiple host names.

Here's another link with good information on SelfSSL7.exe and download information.

Solution 2

I had this today - but with IIS7. If you use IIS to generate the cert (inetmgr->select the home node then choose Server Certificates, use the right menu option to create a self certified certificate. The 'issued to' attribute is set using the FQDN of your machine - like 'mymachine.myintranet.copp.net' or whatever.

As long as you FQDN for the url to connect from the service - like 'mymachine.myintranet.copp.net/myservice/service.svc' then the error goes.

If you're using an alternative URL, like an IP address, or localhost, then the error occurs. So, the machine above was obviously known as johnma in his network then it works.

Share:
11,473
baileyswalk
Author by

baileyswalk

Updated on July 18, 2022

Comments

  • baileyswalk
    baileyswalk almost 2 years

    I have a WCF service that is ONLY every used between two server machines. It will NEVER be used publicly.

    I was hoping I could use SSL with a self signed certificate for security.

    I created a certificate using IIS7, installed it on the client machine using IE and the MMC (Personal, TrustedRoot, Third-Party & TrustedPeople).

    I still can't get to the service, either from code or via IE8, without it questioning the certificate.

    From IE I get the usual "There is a problem with this website's security certificate."

    From code I get the error: "Could not establish trust relationship for the SSL/TLS secure channel with authority"

    Why is this not working?

  • baileyswalk
    baileyswalk almost 12 years
    I though installing the certificate on the client machine should resolve this, no?
  • HeatfanJohn
    HeatfanJohn almost 12 years
    @erix Trusting the certificate should make the warnings disappear.
  • HeatfanJohn
    HeatfanJohn almost 12 years
    Does the host name contained inside the "CN" of the certificate match the host name being used on your https:// URL? Can you dump or list out the certificate you creaeted? Minus the private key, we don't need to see that.
  • Mike Goodwin
    Mike Goodwin almost 12 years
    Further to the comment from @HeatfanJohn, the hostname in the cert has to match exactly with what you put in the service endpoint on the client - that is, it has to be the fully qualified domain namein an AD domain. I have had problems ion the past when I just used the server machine name on the client whereas the cert was issued using the full name.
  • baileyswalk
    baileyswalk almost 12 years
    This half way solves the issue... it works in IE if I host the service and client locally, when the FQDN is typed into the browser. However, I get the same error when implementing the service from code. The FQDN is in the endpoint.
  • HeatfanJohn
    HeatfanJohn almost 12 years
    This means that the issue is a mismatch between the host name in the certificate (CN=xxx) and the host name being used to connect to the server. If you are going to use the servers fully qualified name when connecting to you service, then you need to use that name when you build the self-signed certificate. There is also a certificate facility called Subject Alternative Names (SAN) where you can specify additional host names that can be used when accessing the certificate. I need to GOOGLE self-signed SAN certs and Windows to see how you do that on Windows.
  • Donal Fellows
    Donal Fellows almost 12 years
    @Heatfan There's wildcards too. When you're your own CA, you can use the fancy features that are normally expensive.
  • baileyswalk
    baileyswalk almost 12 years
    @HeatfanJohn Agreed, must be a conflict with the client host name, as I can debug the sent certificate and confirm it has the correct values. Well at least it works in theory, in practice I can either interrogate some values of the certificate to make sure it is the right one, or buy one from a CA. Thanks for your input.
  • Jerico Sandhorn
    Jerico Sandhorn over 8 years
    I am having this issue on Windows 7. The ss cert contains the host name and I only use the host name connecting. The one difference i see is I do not have the private key included in the cert. Would that matter?
  • Jerico Sandhorn
    Jerico Sandhorn over 8 years
    For me, installing the cert in the root satisfies both IE and Chrome, but WCF still doesn't like it

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is it possible to force the WCF test client to accept a self-signed certificate?
HTTP Error 500.19 - Internal Server Error The requested page cannot (WCF + REST + IIS7 + SSL)
Invalid CA certificate with self signed certificate chain
Android ignore self signed certificate
Create a Self-Signed Certificate within IIS Express
Issue with Self Signed Cert in WCF - Must have Private Key
How can I install root or intermediate SSL certificates without restarting server?
SSL stops working on IIS7 after a reboot
Getting 401 when using client certificate with IIS 7.5
IIS7 add certificate to site from command line