Friday, December 5, 2008

Using Self Signed Certs on Vista

I needed to enable certificates for my WCF service, I first went and added the following behavior to my service:

<behavior name="MyServiceBehavior">
<servicecertificate findvalue="MyLocalHost" x509findtype="FindBySubjectName" storelocation="LocalMachine" storename="My">

Then following the steps here: I created a self signed certificate to add to the root and certificate to use for my service.

I then tried to bring up the services help page and I get this error:

The certificate 'CN=SignedByLocalHost' must have a private key that is capable of key exchange. The process must have access rights for the private key.

Doing some searching I found that you need to use winhttpCertCfg to give permissions to the process account. I also found that this tool is deprecated in Vista. It may or may not work but I wanted to figure out how to get this to work.

The suggested method was to use the MMC snap in to manage Private keys. You need to right click on the certificate and there should be a "Manage Private Keys" option under All Tasks, but it was there for me.

After some more diging I found you need to create the certificate for exchange. The following command worked:

makecert -sk SignedByCA -iv c:\OutCert.pvk -n "CN=MyLocalHost" -ic c:\OutCert.cer -sr LocalMachine -ss My -sky exchange -pe

The thing I left off was -sky exchange

The next error I ran into was:

The X.509 certificate CN=MyLocalHost chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.

To resolve this you need to do what it says (of course the trick is finding where to change this setting at). Add the following behavior to your client code

<behavior name="ssl">
<authentication certificateValidationMode="None"/>


Anonymous said...

Thank you so much !!! I've been struggling with this for a few hours now. It it amazing how little documentation is available on the topic, with WCF actually making your life harder than easier when you want to use a non "Hello World" type service ...

Josh Berke said...

Glad it helped, I was amazed at how I had to pull info from several places just to get this to work.

Happy Coding:-)