This blog post will describe how to secure your WCF services that are hosted within IIS 7.0, using Secure Sockets Layer.
Secure Sockets Layer (SSL) is a protocol primarily used for encryption of data between two parties, running at the Transport Layer.
SSL requires a certificate to be installed on the server. Within a development environment you might want to create your own certificate. This is how to create an SSL certificate in IIS 7.0:
- Open IIS Manager (Start > Run > Inetmgr)
- Select the root note within the left pane (Usually “MachineName (Domain\Username)”)
- Select “Server Certificates” in the middle pane
- Select “Create Self-Signed Certificate…” in the right pane (or by right clicking in the middle pane)
- Give your certificate a friendly name, so that you can identify it later on
Now you have created a certificate, you need to bind it to your website, using the following steps:
- Right-click your website in the left pane (“Default Web Site” by default)
- Select “Edit Bindings”
- Select “Add…”
- Select “https” from the “Type:” dropdown list
- Select the certificate you created earlier from the “SSL Certificate” dropdown list
- Select Ok
Update your WCF endpoints to use the new HTTPS address and then browse to the WCF service in your internet browser. The WCF service will appear to be working successfully under IIS; however when you call one of the operations you will probably see the following error message:
“The provided URI scheme ‘https’ is invalid; expected ‘http’”
This is because you have not enabled Transport layer security within the WCF configuration (or inline within code). To enable it within the configuration you can add the following in both the client and service:
<basicHttpBinding>
<binding name="DefaultEndpoint" …more attributes here>
<security mode="Transport" />
</binding>
</basicHttpBinding>
Now when you call an operation you will probably see the following error message:
“Could not establish trust relationship for the SSL/TLS secure channel with authority localhost”
This error message is because the certificate you have generated is not trusted by a certification authority. There are two approaches to fix this:
- Implement a RemoteCertificateValidationCallback (more details here: http://msdn.microsoft.com/en-gb/library/system.net.security.remotecertificatevalidationcallback(VS.80).aspx)
- Trust the certificate
I prefer the second approach, to ensure I don’t leave in the validation callback code in a production environment. It also seems much cleaner to me.. why write code when we don’t have to!?
In order to trust the certificate you have created, follow these steps:
Export certificate generated within IIS
Open the certificates snap-in within the Microsoft Management Console (see below for instructions)
- Browse to the Personal Certificates in the left pane (Certificates (Local Computer) > Personal > Certificates)
- Find the certificate you created earlier (there should be a friendly name column)
- Right click the certificate and select “All Tasks > Export…”
- Select Next
- Select No, do not export the private key, then select Next
- Select DER encoded binary X.509 (.CER), then select Next
- Type (or browse) to a location that you want to save the certificate to and select Next, Finish
Import the certificate within the Third-Party Root Certification Authority
Open the certificates snap-in within the Microsoft Management Console (see below for instructions)
- Right click the Third-Party Root Certification Authorities certificates folder (Certificates (Local Computer) > Third-Party Root Certification Authorities certificates > Certificates)
- Select “All Tasks > Import”, then select Next
- Browse to the certificate you exported earlier, then select Next
- Select Next, then Finish
You should now be able to call operations on your newly secured WCF Service.
Instructions for opening the Certificates Snap-in
In order to open the certificates snap-in, follow these steps:
- Open the Microsoft Management Console (Start > Run > MMC)
- Browse to File > Add/Remove Snap-in
- Select “Certificates” from the list of available snap-ins.
- Choose the “Computer account” radio button on the dialog box
- Select finish (then Ok)