I want to use certificate-based encryption and verification when communicating using the WCF service. Therefore, I created test certificates "TempCA" as my root CA and "SignedByCA" as a client certificate signed by this CA.
When I put the client certificate in "Local computer \ Trusted people" and use certificateValidationMode="PeerTrust" , the service recognizes the client and everything works as expected. But with checking the trust chain ( certificateValidationMode="ChainTrust" ), I ran into the error "The caller was not authenticated by the service."
Relevant server-side configuration:
<behaviors> <serviceBehaviors> <behavior name="customServiceBehavior"> [...] <serviceCredentials> <clientCertificate> <authentication certificateValidationMode="ChainTrust" trustedStoreLocation="LocalMachine" mapClientCertificateToWindowsAccount="false" /> </clientCertificate> <serviceCertificate findValue="TempCA" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> <bindings> <wsHttpBinding> <binding name="soapBindingConfiguration"> <security mode="Message"> <message clientCredentialType="Certificate" /> </security> </binding> </wsHttpBinding> </bindings>
Relevant client configuration (rest is automatically created using the "Add service link"):
<endpointBehaviors> <behavior name="customClientBehavior"> <clientCredentials> <clientCertificate findValue="SignedByCA" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> </clientCredentials> </behavior> </endpointBehaviors>
Both client and server certificates are stored with their private key in "Local Computer \ Personal" (because I am testing on the same computer), and "TempCA" (my root certificate) is also located in "Local Computer \ Trusted" Root Certification Authorities ".
What am I missing here? Any working examples?
source share