I have a p12 certificate for a WebService (I've tested the certificate with SoapUI and it works, and I can access the URL with a WebBrowser).
The problem is that I can't consume the WebService with my c# development. When I try to access the webservice, returns the error message "Cannot create DNS identity probably due to the lack of CN parameter".
How can I override this? I've tried the CreateX509CertificateIdentity, but the error remains.
When you access your webservice on i.e. http://localhost/webservice url then your CN=localhost. If you want to make the webservice available at multiple urls then you need to specify all DNS addresses in subject alternative name (SAN) in the extensions of your certificate. Of course the certificate has to be trusted by client and server.
Related
I am trying to connect to Bloomberg FIX (EMSX) through SSL using QuickFIX/n.
I have got 3 .pem files from Bloomberg using which I have to configure the SSL connectivity. I have gone through all the available reference material on the internet but in vain.
Can anybody help in doing this configuration??
Thanks in advance.
Have a look at using Stunnel and check out this question...
QuickFIX/n expects .pfx extension files. See http://quickfixn.org/tutorial/configuration.html#ssl
This extension is normally used for PKCS #12 encoded files which contain the certificate and the private key, protected by a password.
You may need to convert your .pem files so that you have one .pfx file which contains your private key and the certificate and another file which contains your CA Certificate. The SSLCertificate and SSLCACertificate configuration parameters of the QuickFIX/n session should then be set to the path of these two files. SSLCertificatePassword should contain the password.
QuickFIX/n is strict and requires the FIX Acceptor (Bloomberg EMSX in this case) to have the x509v3 extended key attribute "TLS Web Server Authentication" (1.3.6.1.5.5.7.3.1) to be explicitly present in the server certificate that is presented during the SSL handshake.
If not present, you will get an error message in the QuickFIX/n session event log:
Remote certificate is not intended for server authentication: It is
missing enhanced key usage 1.3.6.1.5.5.7.3.1
Some FIX Acceptors still don't define this in their server certificate, so even if you go to the effort of converting your PEM files to PFX, it still won't work.
You can use Stunnel which doesn't seem to mind what purpose was intended for the server certificate that is presented. As an added bonus Stunnel understands PEM files so no need to convert. However, you should be aware that if your end goal is end-to-end encryption, the hop between your QuickFIX/n application and Stunnel will be in clear text.
I am receiving the error message, "the remote certificate is invalid according to the validation procedure", when I try to make a request. The service is being served on a Weblogic server. I have a certificate issued by the same CA and I have the root certificate plus chain along with the server's certificate.
Before I make the request, I call ServicePointManager.ServerCertificateValidationCallback and then I add the client certificate to the request. This all works but goes wrong when I try to make my request in my winform application. However, as a check, I have typed the url into the browser and it works. So,I am confused as to why I should get this error, when one the certificate has been checked, the server certificate has been validated and the client has been added to the request.
Can someone please help me?
Found the problem! The issue was due to the server certificate being issued with the incorrect distinguished name
I'm downloading files from a FTPS server and the server sends a certificate back to me.
Microsoft states:
When custom validation is not used, the certificate name is compared with host name used to create the request. For example, if Create(String) was passed a parameter of "https://www.contoso.com/default.hmtl", the default behavior is for the client to check the certificate against www.contoso.com.
The certificate does not pass the default validation (RemoteCertificateNameMismatch). Right now I use the ServicePointManager.ServerCertificateValidationCallback delegate and provide a delegate that returns true, just "to pass" without any validation. How do I validate the certificate using C#?
One of the parameters to the delgate mentioned above, X509Certificate certificate, contains two public properties of interest: Issuer and Subject. None of the two properties contains any data matching the hostname.
Usually you must have a valid certificate against the right host name to pass the validation instead of overwriting the callback.
What target address did you use to access the FTP server? It should be different from the subject according to your description.
You may consider to use the subject hostname to access the server instead of current one. You could also set your client hosts file if you have DNS issues with that.
I am trying to consume webservice over https protocol. I have password-protected p12 file with certificate. After importing this file I can view service methods over browser and I can add service as a ServiceReference in VisualStudio client application. Problem appears while invoking methods of this service. I tried almost everything and still get error 'Could not establish secure channel for SSL/TLS with authority {server_name}'.
What can be wrong?
There are at least few possible causes but I would start by redefining the certificate validation callback:
ServicePointManager.ServerCertificateValidationCallback = (a,b,c,d) => true;
Put this like in your client code before you access the service.
I posted days ago about access control to web service (Access control to web service). In short, I have an ASP.NET web service deployed on //service/webservice and I want my ASP.NET web application (app1) on the //web1 to access the web service with certificate authentication. I keep getting System.Net.WebException: The request failed with HTTP status 403: Forbidden exception. The following is my setup:
On certificate export;
I exported a server certificate issued to //service from LocalMachine store and saved it as service.cer.
I also exported a client certificate issued to //web1 from LocalMachine store and saved it as web1.cer
Setup on //service/webservice:
On Directory Security, unchecked Anonymous Access and all Authentication Access (Integrated Windows Access, Digest Authentication and Basic Authentication).
On Secure communications, checked Required secure channel(SSL), Require 128-bit encyption, Require client certificate, and Enable client certificate mapping. I then mapped web1.cer to an AD account MyDomain/user which has access right to //service/webservice
For //service/webservice/WebService.asmx, set <authentication mode="Windows" /> on web.config
Setup on //web1/app1
Set <authentication mode="Windows" /> and <identity impersonate="true" /> on web.config
In VS2008, I added the web reference to //service/webservice/WebService.asmx and named it WService
In //web1/app1/default.aspx.cs, I had this:
using System.Security.Cryptography.X509Certificates;
using System.Net;
WService.WebService ws = new WService.WebService();
ServicePointManager.ServerCertificateValidationCallback = delegate(Object sender1, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors errors) { return true; };
//I was a bit confused here on which certificate I should use so I have tried both service.cer and web1.cer but still got the same error
X509Certificate x509 = X509Certificate.CreateFromCertFile(#"C:\Certificates\service.cer");
ws.ClientCertificates.Add(x509);
ws.DoSomething();
I ran WinHttpCertCfg.exe to grant access to both certificates in LocalMachine for ASPNET account
I went to https://service/webservice/WebService.asmx and was prompted to provide a client certificate and after that I was through. But if I went to https://web1/app1/default.aspx (which would call the web service) and I would get the HTTP status 403 exception.
What did I miss? I would assume the problem is because //web1/app1/default.aspx.cs failed to transmit the certificate across. If that's the problem, how do I do that? I built both the asmx and aspx on VS 2008 and ASP.NET 3.5.
Make sure your client certificate was requested as a 'Computer' template certificate for 'Client Authentication' otherwise it will not work.
Sounds like the SSL certificate is failing to authenticate for the web service client. A good check is if you go to the service from the client’s machine and get an alert in the browser about an SSL certificate your service will not authenticate with the certificate (certificate is not trusted). It’s not that the certificate doesn’t work, it’s just not trusted.
If the service is across machines you might have to setup a certificate authority (this might help http://www.petri.co.il/install_windows_server_2003_ca.htm) and add it as a trusted publisher on the client machine. This might also help http://support.microsoft.com/kb/901183.
Another option is to simple not validate the SSL, see:
http://geekswithblogs.net/jwhitehorn/archive/2006/09/20/91657.aspx
When I had this problem it turns out the client certificate/key pair I was using was signed by an intermediate CA which was in the current user store instead of the local machine store. It all looked good if you examined the cert while logged in but the IIS worker process could not see the intermediate CA. Thus, the web service call was not supplying the certificate with the request. You can verify this by checking the server web log for a 403 7 5 response.
Make sure the users that are impersonating have access to the certificate store being used.