How to consume WCF Service using console application and/or Windows phone 8 application over https under Dot Net Framework (Dealing with Certificate Issues)

Certificates Overview: 

Certificate, also known as public key certificate or digital certificate, is an electronic document which uses a digital signature to bind a public key with an identity. The identity could be anything. For example it could represent a user, a device, a service or even a few lines of code.

The certificate can be used to sign the identity and could be verified by others. For example a message being signed by a certificate could be verified by the receiver, so that it will be able to know whether the message is the original one or had been modified by someone else. The certificate can also be used to encrypt and decrypt. This is the reason why we can bind a certificate on a website so that the data between the browser and server would be secured, since they are been encrypted and signed by the certificate.

The certificate authority (CA) takes the responsibility to issue the certificates. In Windows we can use the Active Directory Certificate Service.

In an enterprise there might be more than one CAs and normally they will be organized hierarchically. The top level would be the Root CA, which have a certificate signed by itself. All subordinate CAs’ certificate should be requested to and signed by the root CA.

Secure WCF service consumption using console application:

Consuming your native WCF Service over HTTPS using client application can be troublesome since the connection in this case is secure. Therefore you need a certificate from server side(in this case it is the machine hosting the WCF Service) so as the server can be authenticated by the console application. In this post I will explain how to consume your WCF service by issuing a self signed certificate.

As explained above you need a certificate for WCF service hosting machine, for this open the visual studio command prompt on the machine hosting the WCF service and make use of 'makecert' command with proper parameters as given below:


makecert -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=machine-name" -ss root -sr localmachine

The above command creates a self-signed root certificate. In the above command, signroot.cer is the name of the certificate file which is created.In place of the 'machine-name' parameter above you need to give the name of the machine on which the wcf service is running. The above command creates a self signed root certificate for the wcf service hosting machine and this certificate is used for server authentication. The above command also adds a new root cert in "trusted root certification authorities" on your machine. You can verify it using the using the Microsoft Management Console (mmc). Now you need to export and install this root cert on the client machine also under "Trusted root certificate" category so that the console application can authenticate the server using this certificate.

Once this is done you need to create a self signed client certificate for the server machine. For this again open the visual studio command prompt on the service hosting machine and type the following command:

makecert -iv SignRoot.pvk -ic signroot.cer -cy end -pe -n CN="Server-IP" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

In the command above in place of 'Server-IP' you need to give the ip address of the machine in which the service runs. Once this command is executed you have a new client certificate in "Personal". Once this is done you need to bind your self signed client certificate with the "https" protocol. For this do the following:

 In the IIS admin, select the topmost node, the click the "server certificates" item on the right. You should see the new cert named "Server-IP" (given in above command) in the list. Then select "default web site" in the tree, and click on "Bindings" on the far right side. In the dialog that comes up, edit the "https" entry. In the "Edit Site Binding" dialog, in the "IP Address" combobox. select the ip address of the machine. In the "SSL Certificate" combobox, select your new client cert named "Server-IP". 

Once this done your console application should work fine.

Secure WCF service consumption using Windows Phone 8 application under emulator:

The steps for issuing the certificate in this case is same as for the console application but in order to authenticate the server you need to install its certificate on the emulator once it runs. For this first go to the service hosting machine and create a new folder say "Cert" under the default http website location for hosting the websites used by IIS(ie under C:\inetpub\wwwroot\).

From the Certificates plugin in mmc, export the root cert to a new p7b file in "Cert" folder (in the certificiate export wizard, select "cryptographic message syntax standard - pkcs #7"). Any file name is okay, but the extension must be p7b.

In the emulator, bring up IE, and enter the address of your new Certs website ("http://server-ip-address/certs/rootcertexport.p7b"). The emulator will install the cert. 
Since the server root cert in now install on the emulator now you can consume the wcf service over https using the application on emulator. Note here that every time you have to install the server root cert on the emulator once it is run again.