How to setup selfhosted https WCF service with embedded certificates on client and server?

Question

Im creating a simple WCF service for receiving crash reports.

The service will run self-hosted as a console program and must run without any installation of certificates.

Security-wise i need to ensure that the data send by the client is only send to our server and that the data is not intercepted. From the server point of view i would also like to ensure that the connecting client is using a specific certificate (embedded in the client assembly) to discourage abuse of the service.

I have created a single self-signed certificate and plan to embed the .cer (containing the public part of the certificate) in the client assembly and embed the PFX containing the certificate with the private key into the service host program assembly. (I was led to believe by this that i could use a single certificate).

My problem is that no matter how is setup this up i get the following error:

"An error occurred while making the HTTP request to https://localhost:8080/errorservice. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server."

There shouldnt be a mismatch between the bindings, as they are created using the same code:

public static BasicHttpBinding CreateStreamingBinding() {
  BasicHttpBinding streamBinding = new BasicHttpBinding();
  streamBinding.TransferMode = TransferMode.StreamedRequest;
  streamBinding.MaxReceivedMessageSize = long.MaxValue;
  streamBinding.Security = new BasicHttpSecurity
  {
    Transport = new HttpTransportSecurity 
    {
      ClientCredentialType = HttpClientCredentialType.None,
      ProxyCredentialType =HttpProxyCredentialType.None
    },
    Mode = BasicHttpSecurityMode.Transport,
  };
  streamBinding.MaxBufferSize = int.MaxValue;
  streamBinding.MessageEncoding = WSMessageEncoding.Mtom;
  streamBinding.SendTimeout = new TimeSpan( 1, 0, 0, 0, 0 );
  streamBinding.ReceiveTimeout = new TimeSpan( 1, 0, 0, 0, 0 );
  return streamBinding;
}

On the client the code to create service is setup like this (the certificate location is just for testing):

protected ErrorReportingServiceClient CreateClient() {
  X509Certificate2 cert = new X509Certificate2( @"C:\certs\reporting.cer" );

  EndpointAddress endpointAddress = new EndpointAddress( new Uri( ReportingServiceUri ));

  ErrorReportingServiceClient client =  new ErrorReportingServiceClient( CreateStreamingBinding(), endpointAddress );
  client.ClientCredentials.ServiceCertificate.DefaultCertificate = cert;
  client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
  client.ClientCredentials.ClientCertificate.Certificate = cert;

  return client;
}

On the service side the setup is as follows:

    X509Certificate2 cert = new X509Certificate2( @"C:\certs\reporting.pfx", <password>);
    BasicHttpBinding basicHttpBinding = CreateStreamingBinding();
    host.Credentials.ClientCertificate.Certificate = cert;
    host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
    host.Credentials.ServiceCertificate.Certificate = cert;

    host.AddServiceEndpoint( contractType, basicHttpBinding, baseAddress );

Any help on how to setup this correctly would be greatly appreciated.

Answer 1

The question was answered on the MSDN forums: http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/14f44296-5e3d-4df5-8cc4-a185415852b7