Colleagues,
When I try to use X509 certificate with public key in .cer file, I’m getting the following exception:
{“The certificate ‘CN=name’ must have a private key. The process must have access rights for the private key.”}
Here is the client code that I’m using to set the certificate. Notice that it’s file-based.
var cert = new X509Certificate2(@"C:\mycert.cer");
credentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
credentials.ClientCertificate.Certificate = cert;
Host code:
namespace Host
{
class Program
{
static void Main(string[] args)
{
using (ServiceHost host = new ServiceHost(typeof(HelloIndigo.HelloIndigoService),
new Uri("http://localhost:8000/HelloIndigo")))
{
host.Open();
Console.WriteLine("Service is listening...");
Console.WriteLine();
Console.WriteLine("Number of base addresses: {0}", host.BaseAddresses.Count);
foreach (Uri uri in host.BaseAddresses)
{
Console.WriteLine("\t{0}", uri.ToString());
}
Console.WriteLine();
Console.WriteLine("Number of dispatchers (listeners): {0}", host.ChannelDispatchers.Count);
foreach (ChannelDispatcher dispatcher in host.ChannelDispatchers)
{
Console.WriteLine("\t{0}, {1}", dispatcher.Listener.Uri.ToString(), dispatcher.BindingName);
}
Console.WriteLine();
Console.WriteLine("Press <ENTER> to terminate the host application");
Console.ReadLine();
}
}
}
}
Host App.config:
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<services>
<service name="HelloIndigo.HelloIndigoService" behaviorConfiguration="serviceBehavior">
<endpoint contract="HelloIndigo.IHelloIndigoService" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding"/>
<endpoint contract="IMetadataExchange" binding="wsHttpBinding" bindingConfiguration="mexBinding" address="mex"/> <!-- -->
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="mexBinding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
<binding name="wsHttpBinding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine"/>
</clientCertificate>
<serviceCertificate findValue="name" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<diagnostics performanceCounters="ServiceOnly" wmiProviderEnabled="true">
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="100000"/>
</diagnostics>
</system.serviceModel>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>
The only way I got it working was to generate certificate in pfx with public/private key and password, but I think it’s not secure to have password around on the client all the time. Is there any way to use only public key to authenticate client against the service?
Answer to my question is that to guarantee the security of the private key, which is obviously the topmost issue here with using file-based client certificate would require it to be imported into store first, and then using it from the store by finding via API.