views:

328

answers:

2

We are trying to reference a certificate for a client endpoint configuration in our WCF configuration file.

The configuration looks like this:

<client>
    <endpoint address="https://domain.server.com/path/service.asmx"
        binding="basicHttpBinding" bindingConfiguration="TestServiceSoap"
        contract="..." name="...">
        <identity>
            <certificateReference storeName="TrustedPublisher"
                x509FindType="FindBySubjectDistinguishedName"
                findValue="...">....

For a test-certificate, the "Subject" property looks like this:

CN = demo.domain.com
OU = Company
O = Company
L = City
S = County
C = CountryCode

This works, if we provide the following for the findValue attribute above:

CN=demo.domain.com, OU=Company, O=Company, L=City, S=County, C=CountryCode

However, for a certificate we have from a third party, they have added their address as one part of this, so the above list of identifiers looks like this:

CN = demo.domain.com
OU = Company
STREET = Mainstreet 1, Town Center
L = City
S = County
C = CountryCode

Obviously, the comma in the STREET part will not work, as our string now contains "Town Center" as a separate part with no name.

How do we specify that we want to find the certificate using this list of identifiers?

CN=demo.domain.com, OU=Company, O=Company, STREET=Mainstreet 1, Town Center, L=City, S=County, C=CountryCode
                                                              ^-- Argh!
A: 

This isn't a direct answer to your question, but you don't really have to put all that detail in there if you don't want to. The CN should suffice unless you REALLY have multiple people with the same CN???

So you just need:

CN=demo.domain.com

In fact you don't even need to use the FindBySubjectDistinguishedName find type. You could just use FindBySubjectName and just put the plain subject name instead:

demo.domain.com
Drew Marsh
We would like to avoid matching against multiple certificates that might be installed, seeing as this server might be used to deal with multiple third party servers, so the distinguished name is really what we want.
Lasse V. Karlsen
I would be absolutely shocked if you ever ran into a collision based on just subject in your own world, but if that's the requirement then fair enough. :)
Drew Marsh
+1  A: 

Ok, with more experimentation we managed to find the answer ourselves.

First, to encapsulate values that contains special characters, we need to enclose them in double quotes.

This, however, won't play nice with findName="..." which also uses double quotes, so we changed that to single quotes.

The end result was this:

findName='..., STREET="Mainstreet 1, Town Center", ...'
         ^            ^                         ^     ^
         |            +---- this is needed -----+     |
         |                                            |
         +- and this is needed to use double quotes --+
Lasse V. Karlsen
Didn't think of this, very nice. If you *really* cared and wanted to keep the double quotes in your XML you could probably use " inside of the value like so: STREET="Mainstreet 1, Town Center"
Drew Marsh
That might be possible as well, we'll try that too.
Lasse V. Karlsen