Problem :
I am unable to connect to a TLS enabled webservice endpoint using C#.net on windows7.
Fiddler request and response are :

request :-

CONNECT myendpoint:9443 HTTP/1.1
Host: myendpoint:9443
Proxy-Connection: Keep-Alive”

and here’s the response :-

HTTP/1.1 502 Connection failed
Connection: close
Timestamp: 18:54:29.909

HTTPS connection failed.

*System.Net.Sockets.SocketException:
No connection could be made because the target machine actively refused it :9443
at Fiddler.ServerChatter.CreateConnectedSocket(IPAddress[] arrDestIPs, Int32 iPort, Session _oSession)*
*at Fiddler.Session._handleHTTPSConnect()*”

My client is a .net desktop/console application. I am not confident that i have done the client side TLS/Certificate setup/configuration correctly. Also I have a few unanswered questions.
I have done the following:

I have a “TLS enabled” endpoint of a internet web service. In order to communicate properly, I have been provided 4 things :

1) ca.cert.pem : The public certificate from the CA
2) myname.cert.pem : My public certificate
3) myname.key.pem : My private key
4) A password : “mypassword”

I have also been gives certificate request (.csr) and the parameters used to generate my certificate.

After reading up on TLS related stuff I figured this is what I need to do :

step1) Use Openssl to convert the ca.cert.pem to a .cer file and add/import it to Local Computer’s “Trusted Root Certificate Authorities” so that the CA is trusted now onwards.

step2) Combine myname.cert.pem and myname.key.pem into a .pkcs12 by doing
“openssl pkcs12 -export -out keystore.pkcs12 -in myname.cert.pem -inkey myname.key.pem“. This asks for a password where i use “mypassword”.

step3) Add the keystore.pkcs12 to the “Personal” Certificates (here it asks for a password and i give “mypassword”)

The thumbprint of the certificate added in the step3 is “fef4ab753a11a30a6c4342e63e00f237ef0818c1”

Now, here are app.config changes that i have made:

<bindings>
  <wsHttpBinding>
    <binding name="My_HTTPS_Endpoint_Binding" closeTimeout="00:01:00"
     openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
     bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
     maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text"
     textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
      <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647"
       maxBytesPerRead="4096" maxNameTableCharCount="2147483647" />
      <reliableSession ordered="true" inactivityTimeout="00:10:00"
       enabled="false" />
      <security mode="Transport">
        <transport clientCredentialType="Certificate" proxyCredentialType="None"
         realm="" />
        <message clientCredentialType="Windows" negotiateServiceCredential="true"
         establishSecurityContext="true" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<client>
  <endpoint address="https://myendpoint:9443/myService"
   binding="wsHttpBinding" bindingConfiguration="My_HTTPS_Endpoint_Binding"
   contract="MyNs.myClass" name="My_HTTPS_Endpoint" behaviorConfiguration="clientBehaviour" />
</client>

<behaviors>
  <endpointBehaviors>
    <behavior name="clientBehaviour">
      <clientCredentials>
        <clientCertificate findValue="fef4ab753a11a30a6c4342e63e00f237ef0818c1"
   storeLocation="LocalMachine"
   storeName="My"
   x509FindType="FindByThumbprint" />

      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

So does it seem I have missed any crucial step ? I have some knowledge gaps:

1) My understanding is The public and private key combination i have is only useful for communication from server to client. How does the client to server message encryption work ? Where does my client get the public key from the server which needs to be used for message encryption ?

2) Is the password required to be provided in the config somewhere ? Just guessing..