Search code examples
c#wcfx509certificatewcf-bindingwcf-security

WCF Exposing service with http and https using BasicHttpBinding Certificate still says NotSecure in browser

I am exposing a single WCF service with two endpoints both on BasicHttpBinding. However, one for http and one for secure (SSL). I am successful in achieving that using the below.

In IIS, I also configured the default development certificate in the site SSL and clicked the "Require SSL" and clicked Ignore/Accept which is fine.

My Issue:

I see that when I use the https call in the browser, I see that "Not Secure" warning and you click to proceed and it is in red but with https. When I click on the Not Secure button, I see certificate invalid. Is there anything I need to do in browser or the certificate config below in the server behavior should go to endpoint behavior?

enter image description here

 <services>
      <service behaviorConfiguration="myServiceBehavior" name="MyService">

         <endpoint address="" binding="basicHttpBinding" bindingConfiguration="" contract="IInvoiceService"/>
         <endpoint address="" binding="basicHttpBinding" bindingConfiguration="myBinding" contract="IInvoiceService"/>
      </service>
  </services>
    <bindings>
      <basicHttpBinding>
        <binding name="myBinding" >          
          <security mode="Transport">
           <transport clientCredentialType="Certificate"/>
          </security>
        </binding>        
      </basicHttpBinding>
</bindings>


<behaviors>
    <endpointBehaviors>
    <behavior name="graph">
        </behavior>
    </endpointBehaviors>
      <serviceBehaviors>
      <behavior name="myServiceBehavior">
       <serviceCredentials>
      <serviceCertificate findValue="localhost" storeLocation="LocalMachine"
        storeName="My" x509FindType="FindBySubjectName" />
      <userNameAuthentication userNamePasswordValidationMode="Windows" />
    </serviceCredentials>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
Solution

  • Add the certificate to the Trusted People (on which ever client is accessing the service) store for the local machine. Once it is installed in the trusted peoeple store, double click it to see if there are any other errors.

    <serviceCertificate Use this element to specify an X.509 certificate that will be used to authenticate the service to clients

    using Message security mode

    . If you are using a certificate that will be periodically renewed, then its thumbprint will change. In that case, use the subject name as the x509FindType because the certificate can be reissued with the same subject name.