Consume Webservice in VS2010 using x.509 authentication - wcf

Google and stackoverflow seem to be silent on how to do this. I must be missing something but how do you get VS2010 to allow you to add a x.509 certificate and password to authenticate an SSL service reference so that you can add it to your project?
I am trying to connect to a webservice with an address similar to:
https://services.acme.com/abc/service.wsdl
It requires the x.509 cert and password retrieve the wsdl. This is easy to do in SoapUI, but I can't seem to decipher how to get this going in VS2010.

Okay, so for anyone else who may not know how certificates work in the Microsoft world, VS2010 uses whatever certs you have imported on your machine to try and authenticate. You have to go into IE>Internet Options>Content>Certificates and then import your certificate here. After that, VS2010 will automatically look there for a cert which matches the URL you are using for your wsdl.

Related

Is it possible to run an IIS Express instance with a recognised SSL certificate?

I'm having an issue with my development where I am trying to implement OAuth authentication in my app. In order to get this to work I have to set up my .net core app to run with SSL certificates. These certificates are generated automatically and trusted, so far so good.
The issue arises where I try to use a phone client on these sites. Obviously the device doesn't have the certificate installed, and installing the certificate on the device makes little difference (the certificate provided by the dotnet tool doesn't have a CA attribute or something? So I can't physically trust the certificate on an iOS device).
From where I'm standing, it would make more sense to just use a Let's Encrypt SSL certificate on IIS Express, have the certificate provided by a recognised authority, but it seems that I can't do that for localhost. I think this is because the Let's Encrypt ACME bot can't connect to my local development instance which makes sense.
Is there any way to have a recognised development certificate (when I say recognised, I mean something like Let's Encrypt) in use for IIS express or local development? Or do I have to use a self signed certificate and find some way to install them on my testing devices?
Thanks.
I think you need 2 steps to achieve it.
Configure your IIS Express to use a custom domain name rather than localhost. This custom domain name is the one that you have SSL certificate for. Check here for how to do it.
Bind the Let's Encrypt certificate to IIS Express. This blog post uses a self signed cert, but in theory it should also work for Let's Encrypt cert.

How to install or use a certificate without a request

We receive a SHA-2 certificate from a vendor to use on our site when making requests to them. This is unlike anything i have done before. Typically in IIS we would create the request, receive the certs and install.
In this scenario we were just handed one for requests to them. Anyone know how or what is supposed to be done with them?
Did use MMC and installed the cert that way, but not sure how or if that is to link to website.
It's only for server side certificates that you use the IIS management console. It sounds like this is a client certificate used to identify your app to someone else.
It is up to the language you are using to call the webservice to determine where the certificate should be placed. If you are using C# then there are lots of questions that talk about using client certificates. I would imagine that most languages would let you reference the certificate file directly.

WCF - x509 Certificate from Smart Card - 'Cannot Verify Signature'

I have a WCF service running on IIS6 which is configured with a WSHTTPBinding using the "Transport with Message Credentials" security setting (with the transport client credentials set to 'None' and the Message set to 'Certificate'. This is being consumed by a .NET client that was created through the auto generated code by consuming a service in VS 2010.
In my development environment, I created a certificate to act as both the service cert and the IIS SSL certificate, and since I was lazy, I exported the certificate for use with my client application. Everything works great in that configuration, but that is not the target environment. The idea is to have users utilize their smart cards to access this service. The server will not be on the same domain and LDAP is not allowed, for now.
The problem is that now I got this in a test lab and set up an environment where the SSL certificate was issued by the same CA as the user's certs, and I have created a custom x509 Cert validator and service credentials, but after the initial call to my validator, something is happening in between the hand off and kicks out an error on the service trace log saying, "Error verifying message security" with an inner exception of "Cannot verify the signature". Since is is coming through my custom validator and I got the message logging up, everything looks fine on the SOAP side and I am getting the certificate through on the other side. I have made sure that every cert that I am trying to use is in the "Trusted Users" store and even tried exporting the certs and putting them in the local computer "Personal" store, with no luck.
I have a feeling that I do not fully understand the use of the service certificate and the client certificate in the web.config file. Can someone please help me out here?
Ok so I have managed to answer my own question with some help from my coworker. After we sat down together and started to run a bunch of questions by me and doing some random google searches, we decided to change something in the configuration that surprised me.
So to finish my question up top, I had the message credentials set to "Certificate" with the encryption algorithm suite set to "TripleDesSha256Rsa15". Turns out that the certificates on the smart card, or the card itself, would only support Sha1 (which was not an option with everything else). When we changed the setting to "Basic256", everything started working. I eventually was able to set it to "TripleDesRsa15" and it continued to work.
Basically, WCF sends the certificate up without a private key, because it cannot access it with that encryption algorithm. WCF DOES NOT throw an exception with this when trying to access the certificate, it will only throw it on the server side with the exception "Could not Verify Signature". Kind of wish it would say "There was no signature" because that would have been a bit easier to track down. I don't know if anyone will ever find this useful, but if you do and can find a reference to the "Proper" way of using Smart Cards with WCF, please post it with a ref.
Overall, check your encryption algorithm that you are trying to use, and make sure it works with the smart cards/certificates that you plan on using.

Need Apache Axis (not Axis2) client example for calling web service with SSL

I have searched in vain for a straightforward example of calling a web service requiring SSL authentication and that has a self-signed certificate. I already have the code to be able to trust all certs, so you don't need to provide that. Just a simple example of being able to provide to the service the authentication parameters - username, password, and any other authentication-related parameters, transports, and headers necessary to authenticate successfully and make use of the service. Right now I am using Axis 1.4. Your responses will be greatly appreciated. Thanks.
Have you tried this?
https://stackoverflow.com/a/3256676/372643
You'll need to initialise your socket factory from an SSLContext that trusts this particular self-signed certificate.
Alternatively, you could import this specific certificate in your trust store (cacerts in your JRE directory), or import it into a copy of this file and use it as a global trust store by pointing the javax.net.ssl.trustStore system property to it (the default password is changeit).

WCF and authentications requiring certificates?

Can anyone explain to me when a certifate is require using WCF and authentication. From my understanding although i could be way off :-)
basichttp doesn't require a certificate to do authentication is hosted in IIS and using SSL otherwise a certificate is required
All other bindings like netTcpBindings etc require the use of certficate - is this true?
Or does it depend on what type of authentication i am using?
I would really appreciate any info or maybe a table telling me when a certifcate is needed.
I have a number of scenerios i am investigating like hosting in IIS or hosting in WIndows Service..
And i just can't seem to find the info i need
THanks in advance
There are two scenarios where you need a certificate:
A server side certificated that is used for SSL. For basichttpbinding, if you are sending a username and password over the network you should use SSL.
A client side certificate if you are authenticating clients using certificates.
Other bindings may use machine keys and certificates in the operating system, but you do not need to install a certificate for them to work.