1

My project used visual studio 2010 and is a web application project with c#. I add web referrence for the web service.

I'm having could not establish secure channel for SSL/TLS with authority when i try to access third party web service with certificate in my UAT server. The certificate was expired. I've already add the trust root cert and personal cert for local computer and current user. It works when i call with web service application but not with web application

Below code I used to add the certificate when calling web service and bypass the certificate error.

AServiceReference.AServiceClient client = new AServiceReference.AServiceClient();

X509Certificate2 cert = new X509Certificate2("CERTIFICATE","PASSWORD");
client.ClientCredentials.ClientCertificate.Certificate = cert;

System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
belltric
  • 115
  • 2
  • 15
  • Maybe take a look at the checklist of Marc Gravell in this question: http://stackoverflow.com/questions/703272/could-not-establish-trust-relationship-for-ssl-tls-secure-channel-soap?rq=1 – Rafa Apr 24 '15 at 07:45
  • @Rafa already followed those steps but still failed – belltric Apr 24 '15 at 08:13
  • in this case, I'm sorry that I cannot help, usually it should work, maybe if you show us the error, are you sure you have no CORS issues or something like that? – Rafa Apr 24 '15 at 09:05

2 Answers2

0

Add this in your web.config file and you will be fine probably:

<bindings>
  <basicHttpBinding>
    <binding name="xxxBinding">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
Thanos Markou
  • 2,587
  • 3
  • 25
  • 32
0

When I was tasked with attaching a client cert I was able to do it in one of two ways. It doesn't look like you're actually attaching the client cert (if you are using one) anywhere.

1: through code like you've been doing

proxyClient.ClientCredentials.ClientCertificate.SetCertificate(
     StoreLocation.CurrentUser,
     StoreName.My,
     X509FindType.FindByThumbprint,
     "6D0DBF387484B25A16D0E3E53DBB178A366DA954");

2: through configuration in the web/app.config file.

<behaviors>
  <endpointBehaviors>
    <behavior name="ohBehave">
      <clientCredentials useIdentityConfiguration="false">
        <clientCertificate findValue="c6dafea24197cd6a6f13e846ffcdf70220d23ec2" storeLocation="CurrentUser"
          x509FindType="FindByThumbprint" />            
      </clientCredentials>          
    </behavior>
  </endpointBehaviors>
</behaviors>

<client>
  <endpoint address="https://myservice.ca/SubmitService/Submit.svc"
    behaviorConfiguration="ohBehave" binding="customBinding" bindingConfiguration="SubmitBinding"
    contract="SubmitService.Submit" name="SubmitDev" />
</client>

As long as the cert is in the store specified it should be getting attached.

I also had to use a customBinding in my .config file since we wanted to pass credentials as well (note the httpsTransport node for client certs):

    <binding name="SubmitBinding">
      <security defaultAlgorithmSuite="Default" authenticationMode="UserNameOverTransport"
        requireDerivedKeys="true" includeTimestamp="true" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
        <localClientSettings detectReplays="false" />
        <localServiceSettings detectReplays="false" />
      </security>
      <textMessageEncoding messageVersion="Soap11">
        <readerQuotas maxDepth="32" maxStringContentLength="200000000"
          maxArrayLength="200000000" maxBytesPerRead="200000000" />
      </textMessageEncoding>
      <httpsTransport maxBufferPoolSize="200000000" maxReceivedMessageSize="200000000"
        maxBufferSize="200000000" requireClientCertificate="true" />
    </binding>
Bensonius
  • 1,501
  • 1
  • 15
  • 39