Certificate Validation Differences Between HTTPS, SSL over TCP, and SOAP Security
Article
You can use certificates in Windows Communication Foundation (WCF) with message-layer (SOAP) security in addition to transport-layer security (TLS) over HTTP (HTTPS) or TCP. This topic describes differences in the way such certificates are validated.
Validation of HTTPS Client Certificates
When using HTTPS to communicate between a client and a service, the certificate that the client uses to authenticate to the service must support chain trust. That is, it must chain to a trusted root certificate authority. If not, the HTTP layer raises a WebException with the message "The remote server returned an error: (403) Forbidden." WCF surfaces this exception as a MessageSecurityException.
Validation of HTTPS Service Certificates
When using HTTPS to communicate between a client and a service, the certificate that the server authenticates with must support chain trust by default. That is, it must chain to a trusted root certificate authority. No online check is performed to see whether the certificate has been revoked. You can override this behavior by registering a RemoteCertificateValidationCallback callback, as shown in the following code.
ServicePointManager.ServerCertificateValidationCallback +=
new RemoteCertificateValidationCallback(ValidateServerCertificate);
ServicePointManager.ServerCertificateValidationCallback = New RemoteCertificateValidationCallback(AddressOf ValidateServerCertificate)
where the signature for ValidateServerCertificate is as follows:
Public Shared Function ValidateServerCertificate(ByVal sender As Object, _
ByVal certificate As X509Certificate, _
ByVal chain As X509Chain, _
ByVal sslPolicyErrors As SslPolicyErrors) As Boolean
Implementing ValidateServerCertificate can perform any checks that the client application developer deems necessary to validate the service certificate.
Validation of Client Certificates in SSL over TCP or SOAP Security
With myServiceHost.Credentials.ClientCertificate.Authentication
.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust
.RevocationMode = X509RevocationMode.Offline
End With
Validation of Service Certificate in SSL over TCP and SOAP Security
With myClient.ClientCredentials.ServiceCertificate.Authentication
.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust
.RevocationMode = X509RevocationMode.Offline
End With