Craftsman at Work

I'm Artur Karbone, coding software architect and independent IT consultant and this is my blog about craftsmanship, architecture, distributed systems, management and much more.

Calling a web service by using a client certificate in IIS

To call a web service by using a client certificate, You need two things:

  • Install a certificate
  • Configure a behavior of Your endpoint (I prefer finding a certificate by its fingerprint). Here is an example:
 <behavior name="YourBehavior">
            <clientCertificate findValue="123491ed3d60220df994c777746f8dcec02c2e07" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" />

It works like a charm in IIS Express. However, when You switch to standard IIS (QA/Prod environments for instance) there is a chance that You are going to keep getting the following error calling a web service "The request was aborted: Could not create SSL/TLS secure channel."

It turned out that You need to manage access level permissions for certificates to get it working. Here are the steps:

  • Import the certificate into the "Local Computer"
  • Right click Your certificate -> All Tasks -> Manage Private Keys
  • Add appropriate permissions for Your account (Application Pool account)

If Website is running under ApplicationPoolIdentity, change the permissions for "IIS AppPool\{AppPoolName}". Where {AppPoolName} is a name of Your application pool.

For more details check out this post

comments powered by Disqus