Search code examples
wcfsslwcf-bindingwcf-security

WCF Error: SecurityTokenValidationException "The X.509 certificate CN=XXX chain building failed..."


I'm having the following error:

System.IdentityModel.Tokens.SecurityTokenValidationException

The X.509 certificate CN=RootCA chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust.

The certificate I'm using is the one that you can create following this tutorial: How to: Create Temporary Certificates for Use During Development specifically the "RootCA" certificate. I have genuinely no idea how to solve it. The things I have already tried:

  1. Setting certificateValidationMode to "None", setting revocationMode to "NoCheck"
  2. Creating a certificate that has as "parent" the certificate I'm using right now and trying with it (as in the example there is in the previous link)
  3. Importing the certificate to Trusted People and Entrusted Root folders
  4. Setting storeName to "TrustedPeople" in the "serviceCertificate" node and trustedStoreLocation to "LocalMachine" in the "authentication" node -along with the point 3-
  5. Using CurrentUser as storeLocation

My current code is (I need to hide the name of my files for privacy):

Client

<bindings>
        <basicHttpBinding>
            <binding name="basicHttpEndpointBinding">
                <security mode="Message">
                    <message clientCredentialType="Certificate"/>
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost:51845/XXXXX.svc" behaviorConfiguration="BCertificado"
            binding="basicHttpBinding" bindingConfiguration="basicHttpEndpointBinding"
            contract="XXXXXF1Service.IXXXXXF1Service" name="basicHttpEndpoint">
            <identity>
                <certificate encodedValue="Huge string" />
            </identity>
        </endpoint>
    </client>
    <behaviors>
        <endpointBehaviors>
            <behavior name="BCertificado">
                <clientCredentials>
                    <clientCertificate findValue="RootCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>

Server

<bindings>
        <basicHttpBinding>
            <binding name="basicHttpEndpointBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:01:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
                <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
                <security mode="Message">
                    <message clientCredentialType="Certificate"/>
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <services>
        <service behaviorConfiguration="ServiceBehavior" name="service1">
            <endpoint address="XXXXXServices" binding="basicHttpBinding" bindingConfiguration="basicHttpEndpointBinding"
             name="basicHttpEndpoint" contract="IXXXXF1Service" />
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
        </service>
    </services>
    <behaviors>
        <serviceBehaviors>
            <behavior>
                <!-- Para evitar revelar información de los metadatos, establezca los valores siguientes en false antes de la implementación -->
                <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false"/>
                <!-- Para recibir detalles de las excepciones en los errores para la depuración, establezca el siguiente valor en true. Para no revelar información sobre las excepciones establézcalo en false antes de la implementación -->
                <serviceDebug includeExceptionDetailInFaults="true"/>
            </behavior>
            <behavior name="ServiceBehavior">
                <serviceDebug includeExceptionDetailInFaults="true"/>
                <serviceCredentials>
                    <serviceCertificate findValue="RootCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine"/>
                    <clientCertificate>
                        <authentication certificateValidationMode="None" revocationMode="NoCheck"/>
                    </clientCertificate>
                </serviceCredentials>
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <protocolMapping>
        <add binding="basicHttpBinding" scheme="http" />
    </protocolMapping>

Any other advice related to those files is also appreciated since I dont know what I'm doing to be honest. Thank you so much in advance.


Solution

  • Try adding the endpoint behavior in your client application and set the behavior configuration you added in the endpoint.

    <behaviors>
              <endpointBehaviors>
                <behavior name="BCertificado">
                  <clientCredentials>
                    <serviceCertificate>             
                      <authentication certificateValidationMode="None" revocationMode="NoCheck"/>
                    </serviceCertificate>
                    </clientCredentials>      
                </behavior>
              </endpointBehaviors>
            </behaviors>