help setting up wsHttpBinding WCF service on .net

Question

I'm trying to host a WCF service with wsHttpBinding. I created a certificate using makecert and put some lines in web.config.

This is the error that I'm getting:

System.ArgumentException: The certificate 'CN=WCfServer' must have a private key that is capable of key exchange. The process must have access rights for the private key.

On googling up it seems to be some issue with access rights on the certificate file. I used cacls to give read permission to NETWORK SERVICE and also my username but it didn't change anything.

I also went to security settings in the properties of the certificate file and gave full control to NETWORK SERVICE and my username. Again to no avail.

Can you guide me as to what the problem is and what exactly I need to do? I'm really flaky with these certificate things.

Here's my web.config:

<system.serviceModel>

<services>
        <service name="Abc.Service" behaviorConfiguration="Abc.ServiceBehavior">
            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="Abc.BindConfig" contract="Abc.IService">
                <identity>
                    <dns value="localhost"/>
                </identity>
            </endpoint>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
        </service>
    </services>

<behaviors>
    <serviceBehaviors>
        <behavior name="Abc.ServiceBehavior">
            <serviceMetadata httpGetEnabled="true"/>
            <serviceDebug includeExceptionDetailInFaults="false"/>

            <serviceCredentials>
                <clientCertificate>
                  <authentication certificateValidationMode="PeerTrust"/>
                </clientCertificate>
                <serviceCertificate findValue="WCfServer" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
            </serviceCredentials>

        </behavior>
    </serviceBehaviors>
</behaviors>

<bindings>
  <wsHttpBinding>
    <binding name="Abc.BindConfig">
      <security mode="Message">
        <message clientCredentialType="Certificate" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

</system.serviceModel>

Answer 1

From what I could gather from the web it seems like it NOT an issue of permissions more like there is something wrong with configuration of the certificate.

Here there are instructions on how to allow access to the private key.

Do you have IIS7 installed and running. There is a very simple tool there for creating certificates (instead of makecert) that I have successfully used for WCF communication.

Answer 2

Take a look at the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe). It allows to grant access to the private key of X.509 certificate to a Windows account.

Here is a blog post that explains how to use the tool.

Answer 3

Ok.. I figured out what the problem was. When using makecert to create the certificate, the -pe option must be used which makes the generated private exportable so that it can be used in the certificate. The problem was the makecert bundled with vs2008 is version 5.131 which does not have a -pe option. I found version 6.0 in microsoft sdk 6 which has the option.

This is the biggest problem I find as a beginner in .net. There are so many non-compatible versions of the same thing and when you look up stuff on the internet you don't know which version someone's talking about.