tags:

views:

1837

answers:

2
+3  Q: 

WCF : Could not establish trust relationship for the SSL/TLS secure channel with authority - back to the drawing board

Really thought I had this issue fixed, but it was only disguised before.

I have a WCF service hosted in IIS 7 using HTTPS. When I browse to this site in internet explorer, it works like a charm, this is because I HAVE added the certificate to the local root certificate authority store.

I'm developing on 1 machine, so client and server are same machine. The certificate is self-signed directly from IIS 7 management snap in.

I continually get this error now:

Could not establish trust relationship for the SSL/TLS secure channel with authority.... when called from client console.

I manually gave myself permissions and network service to the certificate, using findprivatekey and using cacls.exe

Where else can I look I seem to have exhausted all possibilities as to why I can't connect.

**UPDATE **

thanks for answers so far, I tried to connect to the service using SOAPUI, and that works, so it must be an issue in my client application, which is code based on what used to work with http.... wonder what the issue is....

+4  A: 

add a handler to the ServicePointManager´s ServerCertificateValidationCallback on the client side. i.e.

System.Net.ServicePointManager.ServerCertificateValidationCallback += (se, cert, chain, sslerror) =>
        {
            return true;
        };

but attention!!! this is not a good practice as it completely ignores the server certificate and tells the servicepoint manager that everything is fine. you could refine this and do some custom checking (for certificate name, hash etc). at least you can circumvent problems during development when using test certificates.

Joachim Kerschbaumer  2009-11-16 15:39:30
I think most public setups will use a purchased cert but during dev use the above code within conditional #if statements. Enterprise devs should generally setup an internal CA server >> http://technet.microsoft.com/en-us/library/cc875810.aspx
Luke Puplett  2010-07-15 18:48:31
+2  A: 

Your problem arises because you're using a self signed key. The client does not trust this key, nor does the key itself provide a chain to validate or a certificate revocation list.

You have a few options - you can

  1. turn off certificate validation on the client (bad move, man in the middle attacks abound)

  2. use makecert to create a root CA and create certificates from that (ok move, but there is still no CRL)

  3. create an internal root CA using Windows Certificate Server or other PKI solution then trust that root cert (a bit of a pain to manage)

  4. purchase an SSL certificate from one of the trusted CAs (expensive)

blowdart  2009-11-16 15:40:57

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?