How to use SSL transport security using a certificate in your WCF hosted service…

So you want to use some channel security in your WCF service. Maybe you even want to guarantee the server your are talking to is who they say they are.

Well, transport security is what you are looking for. It is really quite easy to implement.
Things you will need:
1) A certificate from a trusted signing authority (thawte,godaddy, verisign,etc)
2) A WCF service (duh)

You will need to make changes to the server app.config and the client app.config.

On the Server:

You will need to add this tag to the binding:
<security mode=”Transport”>
<transport clientCredentialType=”None”/>
</security>

We are basically saying here, use transport security but don’t look for a client certificate.

You will also need to create a service behavior.
<behaviors>
<serviceBehaviors>
<behavior name=”MyServiceBehavior”>
<serviceCredentials>
<serviceCertificate findValue=”CN=server.contoso.com” storeLocation=”LocalMachine” storeName=”My” x509FindType=”FindBySubjectDistinguishedName” />
<clientCertificate>
<authentication certificateValidationMode=”None” />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>

Notice the serviceCertificate tag. This is the important one. the CN=XXXXX is the portion you need to change to your servers certificate subject.

Now the service is setup. You will need to modify the Client app.config as follows:

You need to change the bindings on the client the same way as the server. Example.
<bindings>
<netTcpBinding>
<binding  name=”TCP_Binding” …..>
<security mode=”Transport”>
<transport clientCredentialType=”None” />
</security>
</binding>
</netTcpBinding>
</bindings>

Now you have your service protected with SSL and validation.

Happy coding!

0 Replies to “How to use SSL transport security using a certificate in your WCF hosted service…”

  1. Hi,
    I know it’s a quite old post but i am trying to do something similar, basically i have a self-hosted WCF service and it opens 3 tcp endpoints and listen to all of them on same port(say 1234). All of these endpoints are for apps in the intranet so for security we use mode as Transport and ClientCredentialType as Windows. Now in the same service I have to create a new endpoint for an external client (outside out corporate domain). The client will use tcp so no issues there. So what I hope to achieve is
    1.In the same servicehost create a new endpoint, with a new binding this binding will be different than the existing one.

    2.In this new binding specify security mode as Transport and ClientCredentialType as None.

    What I don’t understand is how to enable SSL only for this new endpoint (which should be at same port i.e. 1234). So that my existing endpoint remains untouched and I am able to provide new secure endpoint to the external client.

    Also in the first place is possible that say a WCF service has 4 endpoints on same port, one endpoint can have ssl and rest not? I am in a dilemma here because it sounds a bit weird that same tcp port listens to encrypted as well as un-encrypted messages.

    I hope I can get some help from you may be some pointers as I am bit stuck here.

    PS: The WCF service with 3 intranet endpoints is already in production.

    /Pankaj

    1. You can have as many endpoints as you would like. You can configure different security for each, but you need to ensure they each have their own configuration.
      Now, you can’t have multiple recipients on the same ssl secured endpoint if you are expecting different authorization methods. (as far as I know, you can always test to disprove).

      I would pick a different endpoint for SSL. Say, 1235 etc. See, a cleartext connection doesn’t have the same handshake as an ssl connection. SSL will break a cleartext client, and cleartext will cause an SSL client to timeout.

  2. How would this work for named pipe binding? Visual studio is telling me that in clientCredentialType does not exist. Will it work the same way if I leave that attribute out but setup everything else the same?

    1. Pretty sure Named pipes don’t support SSL. They run on the same machine basically in-memory. Similar in concept but not the same as shared memory. Your connection is secure because you aren’t leaving the machine.

  3. hello
    Whether specifying the in app.config file alone bind the certificate to the server. I am using BasicHTTPbinding with Transport security. I have just specified the certificate details in the app.config file, It doesnt work.
    But if i bind the certificate with the port it works. I am not sure why do we give and when it will be in effect in wcf https channel

Leave a Reply

Your email address will not be published. Required fields are marked *