Client certificate is invalid

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mzarlenga
    #1

    Client certificate is invalid

    I have a WCF .NET 3.0 self-hosted service and client. Both client and
    server are on the same system.

    My service opens a secure endpoint and is configured to demand a
    client-side certificate:

    BasicHttpBindin g binding = new BasicHttpBindin g();
    binding.Securit y.Mode = BasicHttpSecuri tyMode.Transpor t;
    binding.Securit y.Transport.Cli entCredentialTy pe =
    HttpClientCrede ntialType.Certi ficate;


    Some client certificates are working, but some are not. I've checked
    everything I can think of within the certificates - expiration date,
    the CAs in trusted root, etc. and they all look fine.

    I've turned on every bit of WCF tracing that I can find. The Service
    Trace Viewer (on the server) tells me that the "Client certificate is
    invalid" but offers no additional information.

    How can I figure out the specific reason why the certificate is
    invalid?
    Tags: None
    • David Wang
      #2
      Re: Client certificate is invalid

      On Oct 3, 11:41 am, mzarlenga <mzarle...@gmai l.comwrote:
      I have a WCF .NET 3.0 self-hosted service and client. Both client and
      server are on the same system.
      >
      My service opens a secure endpoint and is configured to demand a
      client-side certificate:
      >
      BasicHttpBindin g binding = new BasicHttpBindin g();
      binding.Securit y.Mode = BasicHttpSecuri tyMode.Transpor t;
      binding.Securit y.Transport.Cli entCredentialTy pe =
      HttpClientCrede ntialType.Certi ficate;
      >
      Some client certificates are working, but some are not. I've checked
      everything I can think of within the certificates - expiration date,
      the CAs in trusted root, etc. and they all look fine.
      >
      I've turned on every bit of WCF tracing that I can find. The Service
      Trace Viewer (on the server) tells me that the "Client certificate is
      invalid" but offers no additional information.
      >
      How can I figure out the specific reason why the certificate is
      invalid?

      Perhaps you do not have private keys for some of the client
      certificates. Or the private keys are not ACL'd for the user using it.


      //David
      David Wang
      http://w3-4u.blogspot.com
      David Wang on IIS, ISAPI, Virtual Server, and whatever else I fancy...

      A load of stuff about Azure IaaS and Azure IoT
      http://blogs.msdn.com/David.Wang

      //

        Comment

        • mzarlenga
          #3
          Re: Client certificate is invalid

          On Oct 5, 3:03 am, David Wang <w3.4...@gmail. comwrote:
          How can I figure out the specific reason why the certificate is
          invalid?
          Perhaps you do not have private keys for some of the client
          certificates. Or the private keys are not ACL'd for the user using it.
          Hi David, thanks for the response. I double checked; all the
          certificates have private keys. How do I check if the keys are
          "ACL'd?" (I'm using the Certificates snap-in within mmc to view the
          certificates)

          Here's an interesting twist ... all the certificates show:

          This certificate is intended to the following purpose(s)
          - Ensures the identity of a remote computer
          - Proves your identity to a remote computer

          And all of the certificates work as server-side certificates, yet some
          do not work as client-side certificates. The ones that do not work
          were issued by a Windows Server 2008 Certificate Authority.

            Comment

            • =?Utf-8?B?Um93bGFuZCBXYXRraW5z?=
              #4
              Re: Client certificate is invalid

              TLS is a bit picky about what certificates are permitted to act as a client.

              There are two Netscape extensions that tell the receiver what the client
              certificate is permitted to do:

              SSL Client
              SSL Server

              Your client certificate must include the SSL Client to be accepted by the
              server. Note this is also the case if a server became a client to another
              server - both extensions must appear in the certificate.

              You can easily create some suitable certificates using something like XCA if
              the Windows Server 2008 CA is being a pain. Although I've never used Windows
              Server 2008 CA, I bet there are options for setting the X509v3 extensions
              (including Netscape). If you find and change these settings, make sure you
              include the Subject Key Identifier extension and that you always use RSA!

              HTH

              Rowland

              "mzarlenga" wrote:
              On Oct 5, 3:03 am, David Wang <w3.4...@gmail. comwrote:
              How can I figure out the specific reason why the certificate is
              invalid?
              >
              Perhaps you do not have private keys for some of the client
              certificates. Or the private keys are not ACL'd for the user using it.
              >
              Hi David, thanks for the response. I double checked; all the
              certificates have private keys. How do I check if the keys are
              "ACL'd?" (I'm using the Certificates snap-in within mmc to view the
              certificates)
              >
              Here's an interesting twist ... all the certificates show:
              >
              This certificate is intended to the following purpose(s)
              - Ensures the identity of a remote computer
              - Proves your identity to a remote computer
              >
              And all of the certificates work as server-side certificates, yet some
              do not work as client-side certificates. The ones that do not work
              were issued by a Windows Server 2008 Certificate Authority.
              >

                Comment

                Previous template Next
                Working...