Search code examples
.netwcfsoapx509pki

How do I generate a CSR for WCF application?

I have an application using a WCF SOAP Service with a message credential of type Certificate. I generated development grade certificates to use during my development/testing with makecert, and I'm now ready to promote my code to the next environment. To do this, I'd like to get production grade certificates in place.

After working with one of our systems reps, I'm able to get a PFX file for the client certificate. This is the OpenSSL config that generated the cert:

[req] # openssl req params
prompt = no
distinguished_name = MyName.Client

[MyName.Client]
C = US
ST = New York
O = MyCompany
OU = MyUnit
CN = MyName
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:FALSE

We used Microsoft Certificate Services on one of our servers (I'm not too familiar with it) to generate a MyName.Client.cer and MyName.Client.key file. We have a root authority cert as well named MyCA.cer. We then used OpenSSL to generate MyName.pfx from MyName.key, MyName.Client.cer, and MyCA.cer. I installed MyName.Client.pfx, MyCA.cer and MyCA.crl, and get the following exception from the Service Trace file:

The X.509 certificate CN=MyName.Client, OU=MyUnit, O=MyCompany, S=New York, C=US chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

So I'm stuck. I'm a rookie with certificates, and thought that this would be straight forward. We intend to use GeoTrust certificates on our final environment. We do a lot of business to them. I'm trying to figure out what to tell our systems guys to do to get certificates from GeoTrust for my application. It seems to me that since my application works with the dev certs that I should be able to install them, then just change my configuration to lookup the new certs. Am I wrong?

Thanks in advance for any help.

Solution

  • So I found the issue, and workaround (for now). According to the error, the revocation list was not accessible, so I added this to the server web.config:

    <authentication revocationMode="NoCheck">

    Seemed to do the trick!