Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
You can use certificates in Windows Communication Foundation (WCF) with message-layer (SOAP) security in addition to transport-layer security (TLS) over HTTP (HTTPS) or TCP. This topic describes differences in the way such certificates are validated.
When using HTTPS to communicate between a client and a service, the certificate that the client uses to authenticate to the service must support chain trust. That is, it must chain to a trusted root certificate authority. If not, the HTTP layer raises a WebException with the message "The remote server returned an error: (403) Forbidden." WCF surfaces this exception as a MessageSecurityException.
When using HTTPS to communicate between a client and a service, the certificate that the server authenticates with must support chain trust by default. That is, it must chain to a trusted root certificate authority. No online check is performed to see whether the certificate has been revoked. You can override this behavior by registering a RemoteCertificateValidationCallback callback, as shown in the following code.
ServicePointManager.ServerCertificateValidationCallback +=
new RemoteCertificateValidationCallback(ValidateServerCertificate);
ServicePointManager.ServerCertificateValidationCallback = New RemoteCertificateValidationCallback(AddressOf ValidateServerCertificate)
where the signature for ValidateServerCertificate
is as follows:
public static bool ValidateServerCertificate(
object sender,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors)
Public Shared Function ValidateServerCertificate(ByVal sender As Object, _
ByVal certificate As X509Certificate, _
ByVal chain As X509Chain, _
ByVal sslPolicyErrors As SslPolicyErrors) As Boolean
Implementing ValidateServerCertificate
can perform any checks that the client application developer deems necessary to validate the service certificate.
When using Secure Sockets Layer (SSL) over TCP or message (SOAP) security, client certificates are validated according to the CertificateValidationMode property value of the X509ClientCertificateAuthentication class. The property is set to one of the X509CertificateValidationMode values. Revocation checking is performed according to the values of the RevocationMode property value of the X509ClientCertificateAuthentication class. The property is set to one of the X509RevocationMode values.
myServiceHost.Credentials.ClientCertificate.Authentication.
CertificateValidationMode=
X509CertificateValidationMode.PeerOrChainTrust;
myServiceHost.Credentials.ClientCertificate.Authentication.
RevocationMode=X509RevocationMode.Offline;
With myServiceHost.Credentials.ClientCertificate.Authentication
.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust
.RevocationMode = X509RevocationMode.Offline
End With
When using SSL over TCP or (SOAP) message security, service certificates are validated according to the CertificateValidationMode property value of the X509ServiceCertificateAuthentication class. The property is set to one of the X509CertificateValidationMode values.
Revocation checking is performed according to the values of the RevocationMode property value of the X509ServiceCertificateAuthentication class. The property is set to one of the X509RevocationMode values.
myClient.ClientCredentials.ServiceCertificate.
Authentication.CertificateValidationMode=
X509CertificateValidationMode.PeerOrChainTrust;
myClient.ClientCredentials.ServiceCertificate.Authentication.
RevocationMode = X509RevocationMode.Offline;
With myClient.ClientCredentials.ServiceCertificate.Authentication
.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust
.RevocationMode = X509RevocationMode.Offline
End With
Events
Mar 17, 11 PM - Mar 21, 11 PM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Implement and manage Active Directory Certificate Services - Training
Implement and manage Active Directory Certificate Services
Certification
Microsoft Certified: Security, Compliance, and Identity Fundamentals - Certifications
Demonstrate foundational knowledge on security, compliance, and identity concepts and related cloud-based Microsoft solutions.
Documentation
How to: Make X.509 Certificates Accessible to WCF - WCF
Learn how to make an X.509 certificate accessible to WCF. Application code must specify the certificate store name and location. There might be other requirements.
Working with Certificates - WCF
Learn about X.509 digital certificate features and how to use them in WCF. Resources in this article can further explain these concepts.
Transport Security with Certificate Authentication - WCF
Learn about how WFC uses certificates for server and client authentication when using transport security.