WCF Exposing service with http and https using BasicHttpBinding Certificate still says NotSecure in browser












1















I am exposing a single WCF service with two endpoints both on BasicHttpBinding. However, one for http and one for secure (SSL). I am successful in achieving that using the below.



In IIS, I also configured the default development certificate in the site SSL and clicked the "Require SSL" and clicked Ignore/Accept which is fine.



My Issue:



I see that when I use the https call in the browser, I see that "Not Secure" warning and you click to proceed and it is in red but with https. When I click on the Not Secure button, I see certificate invalid. Is there anything I need to do in browser or the certificate config below in the server behavior should go to endpoint behavior?



enter image description here



 <services>
<service behaviorConfiguration="myServiceBehavior" name="MyService">

<endpoint address="" binding="basicHttpBinding" bindingConfiguration="" contract="IInvoiceService"/>
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="myBinding" contract="IInvoiceService"/>
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="myBinding" >
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
</bindings>


<behaviors>
<endpointBehaviors>
<behavior name="graph">
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="myServiceBehavior">
<serviceCredentials>
<serviceCertificate findValue="localhost" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Windows" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>









share|improve this question





























    1















    I am exposing a single WCF service with two endpoints both on BasicHttpBinding. However, one for http and one for secure (SSL). I am successful in achieving that using the below.



    In IIS, I also configured the default development certificate in the site SSL and clicked the "Require SSL" and clicked Ignore/Accept which is fine.



    My Issue:



    I see that when I use the https call in the browser, I see that "Not Secure" warning and you click to proceed and it is in red but with https. When I click on the Not Secure button, I see certificate invalid. Is there anything I need to do in browser or the certificate config below in the server behavior should go to endpoint behavior?



    enter image description here



     <services>
    <service behaviorConfiguration="myServiceBehavior" name="MyService">

    <endpoint address="" binding="basicHttpBinding" bindingConfiguration="" contract="IInvoiceService"/>
    <endpoint address="" binding="basicHttpBinding" bindingConfiguration="myBinding" contract="IInvoiceService"/>
    </service>
    </services>
    <bindings>
    <basicHttpBinding>
    <binding name="myBinding" >
    <security mode="Transport">
    <transport clientCredentialType="Certificate"/>
    </security>
    </binding>
    </basicHttpBinding>
    </bindings>


    <behaviors>
    <endpointBehaviors>
    <behavior name="graph">
    </behavior>
    </endpointBehaviors>
    <serviceBehaviors>
    <behavior name="myServiceBehavior">
    <serviceCredentials>
    <serviceCertificate findValue="localhost" storeLocation="LocalMachine"
    storeName="My" x509FindType="FindBySubjectName" />
    <userNameAuthentication userNamePasswordValidationMode="Windows" />
    </serviceCredentials>
    <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
    <serviceDebug includeExceptionDetailInFaults="true"/>
    </behavior>
    </serviceBehaviors>
    </behaviors>









    share|improve this question



























      1












      1








      1








      I am exposing a single WCF service with two endpoints both on BasicHttpBinding. However, one for http and one for secure (SSL). I am successful in achieving that using the below.



      In IIS, I also configured the default development certificate in the site SSL and clicked the "Require SSL" and clicked Ignore/Accept which is fine.



      My Issue:



      I see that when I use the https call in the browser, I see that "Not Secure" warning and you click to proceed and it is in red but with https. When I click on the Not Secure button, I see certificate invalid. Is there anything I need to do in browser or the certificate config below in the server behavior should go to endpoint behavior?



      enter image description here



       <services>
      <service behaviorConfiguration="myServiceBehavior" name="MyService">

      <endpoint address="" binding="basicHttpBinding" bindingConfiguration="" contract="IInvoiceService"/>
      <endpoint address="" binding="basicHttpBinding" bindingConfiguration="myBinding" contract="IInvoiceService"/>
      </service>
      </services>
      <bindings>
      <basicHttpBinding>
      <binding name="myBinding" >
      <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
      </security>
      </binding>
      </basicHttpBinding>
      </bindings>


      <behaviors>
      <endpointBehaviors>
      <behavior name="graph">
      </behavior>
      </endpointBehaviors>
      <serviceBehaviors>
      <behavior name="myServiceBehavior">
      <serviceCredentials>
      <serviceCertificate findValue="localhost" storeLocation="LocalMachine"
      storeName="My" x509FindType="FindBySubjectName" />
      <userNameAuthentication userNamePasswordValidationMode="Windows" />
      </serviceCredentials>
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="true"/>
      </behavior>
      </serviceBehaviors>
      </behaviors>









      share|improve this question
















      I am exposing a single WCF service with two endpoints both on BasicHttpBinding. However, one for http and one for secure (SSL). I am successful in achieving that using the below.



      In IIS, I also configured the default development certificate in the site SSL and clicked the "Require SSL" and clicked Ignore/Accept which is fine.



      My Issue:



      I see that when I use the https call in the browser, I see that "Not Secure" warning and you click to proceed and it is in red but with https. When I click on the Not Secure button, I see certificate invalid. Is there anything I need to do in browser or the certificate config below in the server behavior should go to endpoint behavior?



      enter image description here



       <services>
      <service behaviorConfiguration="myServiceBehavior" name="MyService">

      <endpoint address="" binding="basicHttpBinding" bindingConfiguration="" contract="IInvoiceService"/>
      <endpoint address="" binding="basicHttpBinding" bindingConfiguration="myBinding" contract="IInvoiceService"/>
      </service>
      </services>
      <bindings>
      <basicHttpBinding>
      <binding name="myBinding" >
      <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
      </security>
      </binding>
      </basicHttpBinding>
      </bindings>


      <behaviors>
      <endpointBehaviors>
      <behavior name="graph">
      </behavior>
      </endpointBehaviors>
      <serviceBehaviors>
      <behavior name="myServiceBehavior">
      <serviceCredentials>
      <serviceCertificate findValue="localhost" storeLocation="LocalMachine"
      storeName="My" x509FindType="FindBySubjectName" />
      <userNameAuthentication userNamePasswordValidationMode="Windows" />
      </serviceCredentials>
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="true"/>
      </behavior>
      </serviceBehaviors>
      </behaviors>






      c# wcf x509certificate wcf-binding wcf-security






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 2 at 1:05







      Learner

















      asked Jan 2 at 0:50









      LearnerLearner

      1,99693784




      1,99693784
























          1 Answer
          1






          active

          oldest

          votes


















          1














          Add the certificate to the Trusted People (on which ever client is accessing the service) store for the local machine. Once it is installed in the trusted peoeple store, double click it to see if there are any other errors.



          <serviceCertificate
          Use this element to specify an X.509 certificate that will be used to authenticate the service to clients




          using Message security mode




          . If you are using a certificate that will be periodically renewed, then its thumbprint will change. In that case, use the subject name as the x509FindType because the certificate can be reissued with the same subject name.






          share|improve this answer


























          • Hi, thank you, it worked magically. But I have few quesries for my learning. I couldn't see "Trusted People" in google chrome to view the imported certificate. Why? I could only see Trusted publisher, untrusted publisher etc. Also, how does in general all clients would use or import this certificate? Practically speaking. I never did these certificates, please apologize silly questions

            – Learner
            Jan 2 at 3:26











          • Also, one another thing I just observed that, I removed the following code from config file, it still works? How? It is not required? <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> <userNameAuthentication userNamePasswordValidationMode="Windows" /> </serviceCredentials>

            – Learner
            Jan 2 at 3:28






          • 1





            @Learner I will try to answer what I can. In order to see your certicate stores you really need to use MMC with the certificate snap-in, Chrome or IE may not place the cert correctly (just my experience.) Regarding the service behavior, since you are specifying <transport clientCredentialType="Certificate"/> and not <message clientCredentialType="Certificate" /> it is not using that information. serviceCertificate is for message credentials specified in the binding, in which case the client will have to pass the certicate in the request, and you would need to validate that it is correct.

            – Popo
            Jan 2 at 4:37








          • 1





            thank you. I also found a link or reason for the hostname or ip error, i am convinced with the explanation there. stackoverflow.com/questions/34264559/…

            – Learner
            Jan 2 at 4:48






          • 1





            Thanks, I think its the certificate naming issue (Domain or subject name or CN)...but I couldn't create one that works successfully...anyway its all great help and learning from you on the red error part on localhost.

            – Learner
            Jan 2 at 4:50











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54000122%2fwcf-exposing-service-with-http-and-https-using-basichttpbinding-certificate-stil%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Add the certificate to the Trusted People (on which ever client is accessing the service) store for the local machine. Once it is installed in the trusted peoeple store, double click it to see if there are any other errors.



          <serviceCertificate
          Use this element to specify an X.509 certificate that will be used to authenticate the service to clients




          using Message security mode




          . If you are using a certificate that will be periodically renewed, then its thumbprint will change. In that case, use the subject name as the x509FindType because the certificate can be reissued with the same subject name.






          share|improve this answer


























          • Hi, thank you, it worked magically. But I have few quesries for my learning. I couldn't see "Trusted People" in google chrome to view the imported certificate. Why? I could only see Trusted publisher, untrusted publisher etc. Also, how does in general all clients would use or import this certificate? Practically speaking. I never did these certificates, please apologize silly questions

            – Learner
            Jan 2 at 3:26











          • Also, one another thing I just observed that, I removed the following code from config file, it still works? How? It is not required? <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> <userNameAuthentication userNamePasswordValidationMode="Windows" /> </serviceCredentials>

            – Learner
            Jan 2 at 3:28






          • 1





            @Learner I will try to answer what I can. In order to see your certicate stores you really need to use MMC with the certificate snap-in, Chrome or IE may not place the cert correctly (just my experience.) Regarding the service behavior, since you are specifying <transport clientCredentialType="Certificate"/> and not <message clientCredentialType="Certificate" /> it is not using that information. serviceCertificate is for message credentials specified in the binding, in which case the client will have to pass the certicate in the request, and you would need to validate that it is correct.

            – Popo
            Jan 2 at 4:37








          • 1





            thank you. I also found a link or reason for the hostname or ip error, i am convinced with the explanation there. stackoverflow.com/questions/34264559/…

            – Learner
            Jan 2 at 4:48






          • 1





            Thanks, I think its the certificate naming issue (Domain or subject name or CN)...but I couldn't create one that works successfully...anyway its all great help and learning from you on the red error part on localhost.

            – Learner
            Jan 2 at 4:50
















          1














          Add the certificate to the Trusted People (on which ever client is accessing the service) store for the local machine. Once it is installed in the trusted peoeple store, double click it to see if there are any other errors.



          <serviceCertificate
          Use this element to specify an X.509 certificate that will be used to authenticate the service to clients




          using Message security mode




          . If you are using a certificate that will be periodically renewed, then its thumbprint will change. In that case, use the subject name as the x509FindType because the certificate can be reissued with the same subject name.






          share|improve this answer


























          • Hi, thank you, it worked magically. But I have few quesries for my learning. I couldn't see "Trusted People" in google chrome to view the imported certificate. Why? I could only see Trusted publisher, untrusted publisher etc. Also, how does in general all clients would use or import this certificate? Practically speaking. I never did these certificates, please apologize silly questions

            – Learner
            Jan 2 at 3:26











          • Also, one another thing I just observed that, I removed the following code from config file, it still works? How? It is not required? <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> <userNameAuthentication userNamePasswordValidationMode="Windows" /> </serviceCredentials>

            – Learner
            Jan 2 at 3:28






          • 1





            @Learner I will try to answer what I can. In order to see your certicate stores you really need to use MMC with the certificate snap-in, Chrome or IE may not place the cert correctly (just my experience.) Regarding the service behavior, since you are specifying <transport clientCredentialType="Certificate"/> and not <message clientCredentialType="Certificate" /> it is not using that information. serviceCertificate is for message credentials specified in the binding, in which case the client will have to pass the certicate in the request, and you would need to validate that it is correct.

            – Popo
            Jan 2 at 4:37








          • 1





            thank you. I also found a link or reason for the hostname or ip error, i am convinced with the explanation there. stackoverflow.com/questions/34264559/…

            – Learner
            Jan 2 at 4:48






          • 1





            Thanks, I think its the certificate naming issue (Domain or subject name or CN)...but I couldn't create one that works successfully...anyway its all great help and learning from you on the red error part on localhost.

            – Learner
            Jan 2 at 4:50














          1












          1








          1







          Add the certificate to the Trusted People (on which ever client is accessing the service) store for the local machine. Once it is installed in the trusted peoeple store, double click it to see if there are any other errors.



          <serviceCertificate
          Use this element to specify an X.509 certificate that will be used to authenticate the service to clients




          using Message security mode




          . If you are using a certificate that will be periodically renewed, then its thumbprint will change. In that case, use the subject name as the x509FindType because the certificate can be reissued with the same subject name.






          share|improve this answer















          Add the certificate to the Trusted People (on which ever client is accessing the service) store for the local machine. Once it is installed in the trusted peoeple store, double click it to see if there are any other errors.



          <serviceCertificate
          Use this element to specify an X.509 certificate that will be used to authenticate the service to clients




          using Message security mode




          . If you are using a certificate that will be periodically renewed, then its thumbprint will change. In that case, use the subject name as the x509FindType because the certificate can be reissued with the same subject name.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Jan 2 at 4:37

























          answered Jan 2 at 2:37









          PopoPopo

          2,06242548




          2,06242548













          • Hi, thank you, it worked magically. But I have few quesries for my learning. I couldn't see "Trusted People" in google chrome to view the imported certificate. Why? I could only see Trusted publisher, untrusted publisher etc. Also, how does in general all clients would use or import this certificate? Practically speaking. I never did these certificates, please apologize silly questions

            – Learner
            Jan 2 at 3:26











          • Also, one another thing I just observed that, I removed the following code from config file, it still works? How? It is not required? <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> <userNameAuthentication userNamePasswordValidationMode="Windows" /> </serviceCredentials>

            – Learner
            Jan 2 at 3:28






          • 1





            @Learner I will try to answer what I can. In order to see your certicate stores you really need to use MMC with the certificate snap-in, Chrome or IE may not place the cert correctly (just my experience.) Regarding the service behavior, since you are specifying <transport clientCredentialType="Certificate"/> and not <message clientCredentialType="Certificate" /> it is not using that information. serviceCertificate is for message credentials specified in the binding, in which case the client will have to pass the certicate in the request, and you would need to validate that it is correct.

            – Popo
            Jan 2 at 4:37








          • 1





            thank you. I also found a link or reason for the hostname or ip error, i am convinced with the explanation there. stackoverflow.com/questions/34264559/…

            – Learner
            Jan 2 at 4:48






          • 1





            Thanks, I think its the certificate naming issue (Domain or subject name or CN)...but I couldn't create one that works successfully...anyway its all great help and learning from you on the red error part on localhost.

            – Learner
            Jan 2 at 4:50



















          • Hi, thank you, it worked magically. But I have few quesries for my learning. I couldn't see "Trusted People" in google chrome to view the imported certificate. Why? I could only see Trusted publisher, untrusted publisher etc. Also, how does in general all clients would use or import this certificate? Practically speaking. I never did these certificates, please apologize silly questions

            – Learner
            Jan 2 at 3:26











          • Also, one another thing I just observed that, I removed the following code from config file, it still works? How? It is not required? <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> <userNameAuthentication userNamePasswordValidationMode="Windows" /> </serviceCredentials>

            – Learner
            Jan 2 at 3:28






          • 1





            @Learner I will try to answer what I can. In order to see your certicate stores you really need to use MMC with the certificate snap-in, Chrome or IE may not place the cert correctly (just my experience.) Regarding the service behavior, since you are specifying <transport clientCredentialType="Certificate"/> and not <message clientCredentialType="Certificate" /> it is not using that information. serviceCertificate is for message credentials specified in the binding, in which case the client will have to pass the certicate in the request, and you would need to validate that it is correct.

            – Popo
            Jan 2 at 4:37








          • 1





            thank you. I also found a link or reason for the hostname or ip error, i am convinced with the explanation there. stackoverflow.com/questions/34264559/…

            – Learner
            Jan 2 at 4:48






          • 1





            Thanks, I think its the certificate naming issue (Domain or subject name or CN)...but I couldn't create one that works successfully...anyway its all great help and learning from you on the red error part on localhost.

            – Learner
            Jan 2 at 4:50

















          Hi, thank you, it worked magically. But I have few quesries for my learning. I couldn't see "Trusted People" in google chrome to view the imported certificate. Why? I could only see Trusted publisher, untrusted publisher etc. Also, how does in general all clients would use or import this certificate? Practically speaking. I never did these certificates, please apologize silly questions

          – Learner
          Jan 2 at 3:26





          Hi, thank you, it worked magically. But I have few quesries for my learning. I couldn't see "Trusted People" in google chrome to view the imported certificate. Why? I could only see Trusted publisher, untrusted publisher etc. Also, how does in general all clients would use or import this certificate? Practically speaking. I never did these certificates, please apologize silly questions

          – Learner
          Jan 2 at 3:26













          Also, one another thing I just observed that, I removed the following code from config file, it still works? How? It is not required? <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> <userNameAuthentication userNamePasswordValidationMode="Windows" /> </serviceCredentials>

          – Learner
          Jan 2 at 3:28





          Also, one another thing I just observed that, I removed the following code from config file, it still works? How? It is not required? <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> <userNameAuthentication userNamePasswordValidationMode="Windows" /> </serviceCredentials>

          – Learner
          Jan 2 at 3:28




          1




          1





          @Learner I will try to answer what I can. In order to see your certicate stores you really need to use MMC with the certificate snap-in, Chrome or IE may not place the cert correctly (just my experience.) Regarding the service behavior, since you are specifying <transport clientCredentialType="Certificate"/> and not <message clientCredentialType="Certificate" /> it is not using that information. serviceCertificate is for message credentials specified in the binding, in which case the client will have to pass the certicate in the request, and you would need to validate that it is correct.

          – Popo
          Jan 2 at 4:37







          @Learner I will try to answer what I can. In order to see your certicate stores you really need to use MMC with the certificate snap-in, Chrome or IE may not place the cert correctly (just my experience.) Regarding the service behavior, since you are specifying <transport clientCredentialType="Certificate"/> and not <message clientCredentialType="Certificate" /> it is not using that information. serviceCertificate is for message credentials specified in the binding, in which case the client will have to pass the certicate in the request, and you would need to validate that it is correct.

          – Popo
          Jan 2 at 4:37






          1




          1





          thank you. I also found a link or reason for the hostname or ip error, i am convinced with the explanation there. stackoverflow.com/questions/34264559/…

          – Learner
          Jan 2 at 4:48





          thank you. I also found a link or reason for the hostname or ip error, i am convinced with the explanation there. stackoverflow.com/questions/34264559/…

          – Learner
          Jan 2 at 4:48




          1




          1





          Thanks, I think its the certificate naming issue (Domain or subject name or CN)...but I couldn't create one that works successfully...anyway its all great help and learning from you on the red error part on localhost.

          – Learner
          Jan 2 at 4:50





          Thanks, I think its the certificate naming issue (Domain or subject name or CN)...but I couldn't create one that works successfully...anyway its all great help and learning from you on the red error part on localhost.

          – Learner
          Jan 2 at 4:50




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54000122%2fwcf-exposing-service-with-http-and-https-using-basichttpbinding-certificate-stil%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          'app-layout' is not a known element: how to share Component with different Modules

          android studio warns about leanback feature tag usage required on manifest while using Unity exported app?

          WPF add header to Image with URL pettitions [duplicate]