Tuesday, July 15, 2014

WCF client certificate not sent to the service

When using 2 way SSL, Are you experiencing this error?

Could not create SSL/TLS secure channel.

Possible Frustrations:

  • You have enabled WCF tracing and it doesn't even give a clue.
  • System logs doesn't even say anything.
  • It works well on the development computer, but not on the production server (possibly running on IIS 7+)
  • You have no idea what to do
  • Google / StackOverFlow is not helping either. ==> Your fault. Learn to talk to a machine.
  • Packet tracing for SSL handshake looks something like this.
    1. [Client => Server] Client Hello
    2. [Server=> Client ] Server Hello
    3. [Server=> Client ] Server Certificate
    4. [Server=> Client ] Certificate Request
    5. [Client => Server] Certificate, Key Exchange, Verify, Cipher Spec
    6. [Server=> Client ] Error
The reason for the error would be at stage 5, client is not sending its certificate. 

If you examine the packets, you would see something like this.

TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 1464
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 936
            Certificates Length: 0
            Certificates: 0



After trying different things I did get it fixed.

The reason was that the user under your client is running has no permission to the certificate's private key.

So, here's how to get it fixed.


  1. Start => Run => type "mmc" => <press enter> => go to FILE => ADD OR REMOVE SNAP-INS
  2. Select "Certificates" on left hand side (Available Snap-ins)
  3. Press "ADD >" or double click on it.
  4. New window opens "Certificates snap-in", select "Computer Account"
  5. Click Next
  6. Select "Local Computer" => Finish
  7. Check "Selected Spanins" box, there should be "Certificates (Local Computer)" ==> OK
  8. Go to personal => certificates => if your certificate is there, delete it.
  9. if you know your certificate is in some other folder, go there and delete it. 
  10. Import your certificate again, this time make sure you have selected the option to export the private key.
  11. ctrl + drag your certificate to the Personal certificates folder. You need it.
  12. now select your certificate => right click => all tasks => Manage Private Keys
  13. Now click on ADD.
  14. Go to IIS and note down under which user your app pool is running.
  15. Come back certificates and add that user using the "select users or groups" dialog. 
  16. Now it should work.
Confused? 
Comments are always welcomed.


References: http://serverfault.com/questions/131046/how-to-grant-iis-7-5-access-to-a-certificate-in-certificate-store