WCF example: Using of self-hosted service with SSL

Damir Dobric Posts

Next talks:



Follow me on Twitter: #ddobric




To establish the HTTP communication WCF uses internally HttpTransportBindingElement for HTTP and HttsTransportBindingElement for HTTPS. Both binding elements are implemented on the top of System.Net.HttpListener which is a part .NET2.0.


This class utilizes the http.sys driver which is the HTTP protocol implementation hosted in the windows kernel. This is a reason why this functionality (HttpListener) is on XP SP2 and newer available only.


Usually, when the WCF service has to support SSL and when IIS is used as host, there is a nice GUI in internet connection manager, which gives you possibility to easy install the certificate for SSL.

Unfortunately, the HttpListener is not a product, and the configuration is little more sophisticated.


So, our goal is to configure HttpListener to be able to host the WCF service over SSL.


Creating and installing of the server certificate for SSL


Before the listener can be configured, first the required server certificate has to be created and properly installed:


Following line shows how to create the test X509 certificate which will be used for SSL communication at the machine



makecert.exe -sr LocalMachine -ss My -n CN= -sky exchange -sk -pe


Note that this machine (with IP will host the WCF service, which should support the HTTPS. Please also note that the test certificate created with the makecert tool is signed by virtual trust center ‘Root Agency’ (self signed for testing purposes only).


After this command is executed, the new certificate with the private key is created and stored in the LocalMachine Personal store. To see it, use the MMC-certificate snap-in.


After this step the HttpListener could be configured. However in the test scenario there will be a client which will probably run at the same machine. Because of this execute following command to install the newly created server certificate in the user’s “Trusted People” store.


certmgr.exe -add -r LocalMachine -s My -c -n -r CurrentUser -s


This command reads the server’s certificate (created in the previous step with makecert.exe) with the friendly name CN= from the LocalMachine “Personal” store and make one copy in the CurrentUser “Trusted People” store.

This establishes the client’s trust to the certificate.


Configuring HttpListener


First you have to do is to download the required tool HttpCfg.Exe, which is a part of Windows XP SP2 Support Tools (download here).



Here are some examples:


Configure HttpListener to provide SSL at all IP-addresses, but on the port 999.

Httpcfg.exe set ssl -i -h e81bada10ffddf6fce0628ab491eecf8d2a4d070 -Personal


The value specified in the argument –h is the certificate's thumbprint (hash), which can be copied from any certificate viewer. I used MMC cetificates snap-in to browse for certificate. Under details tab, select Thumbprint and copy the binary-value. Finally, remove all blanks.


Following command is useful to show what certificates are already configured:


Httpcfg.exe query ssl


After executing, following result could appear:


 IP                      :

 Hash                    : 2b7f1ebe2ae632c5d7328a8f849ffde0b4 3c07c

 Guid                    : {00000000-0000-0000-0000-000000000000}

 CertStoreName           : MY

 CertCheckMode           : 0

 RevocationFreshnessTime : 0

 UrlRetrievalTimeout     : 0

 SslCtlIdentifier        : (null)

 SslCtlStoreName         : (null)

 Flags                   : 0


Sometimes it is useful to delete the previously configured certificate, before the new one is installed:

Httpcfg.exe delete ssl -i



More information about this tool can be found here.


Implementing and configuring service and client


The required configuration is shown bellow:




<service name="Microsoft.ServiceModel.Samples.CalculatorService">

<endpoint address=""









<binding name="Binding2">

<security mode="Transport">

<transport clientCredentialType="Basic"/>





Note that the specified address has to match the address used by configuring of the HttpListener. In this case this was, which matches the address used in the endpoint:


Remember that the hostname specified in the address has to be the same as the given friendly name of the certificate. In this case the IP address has been used as the name. Otherwise the certificate trust-check will fail.


If there are any problems (you will have them for sure) during “preparation” of the infrastructure for this example it is useful to use following handler, which catch any trust-error:


ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation);

private static bool customXertificateValidation(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error){

   return true;



If the error is argument “error” is “None” all worked fine. Note that return true means that all errors will just be ignored. Never use this code in the productive environment!


The full very simple example can be found here.




Posted Aug 01 2006, 06:58 PM by Damir Dobric
Filed under:


Damir Dobric wrote re: WCF example: Using of self-hosted service with SSL
on 08-02-2006 12:40
Damir Dobric wrote re: WCF example: Using of self-hosted service with SSL
on 07-05-2008 16:13

The command above should look like: certmgr.exe -add -r LocalMachine -s My -c -n localhost -r CurrentUser -s TrustedPeople

sara wrote re: WCF example: Using of self-hosted service with SSL
on 02-01-2010 16:00

I used ur example to creat https wcf service..

when i try to browse my service with url

I get following error

No protocol binding matches the given address ''. Protocol bindings are configured at the Site level in IIS or WAS configuration.

i didn't change the ssl setting in IIS, do i need to change that??

Damir Dobric wrote re: WCF example: Using of self-hosted service with SSL
on 02-01-2010 23:06

Hi Sara, your site is not configured for SSL.

sanousy howari wrote re: WCF example: Using of self-hosted service with SSL
on 11-14-2011 23:36

Hi Damir,

Actually a good article, especially written in 2006!! (Wow).

I have a task in my current job, to implement a self hosted WCF with SSL (Transport x.509 cert) but also to be configured internally ( not via app.config).

.net 4/ Windows 7 Platform.

My problem is that the old command line tools like http config .... ammm I'm not sure but several tools are there and everyone of them is different ...





RegisterServiceModel.exe .... and more ...

in addition some articles talking about a single certificate, anothers talking about two different self signed certificaes, and others are talking about a root certificate and two different signed certificates by the root certificate ... and finally others tend to say makecert.exe certificates don't work at all

others provide some code to supress errors over personally created certificates  ...

they are all pretend it works ... but none of them worked fine for me .... even I think I exceeded 73 different examples up to now none of them worked ...

Can you give me a hand an provide a single example that I can use it to study so I can accomplish my task in my job please?

Appreciated in forward!!


Ralph wrote re: WCF example: Using of self-hosted service with SSL
on 10-31-2012 2:21

I found that I needed to add a vialditaon username/password which means the error is gone but the test transactions are not going through the Beanstream gateway  Where do I enter the username/password for vialditaon against transaction? There is nothing coming through to the Beanstream server when a transaction has been done in the shopping cart. There's no record of it which means the transaction was not passed to the merchant (so no $$ collected). I'm a newbie and would really appreciate your help. Thanks.

developers.de is a .Net Community Blog powered by daenet GmbH.