<certificate> of <clientCertificate> Element
Specifies an X.509 certificate used to sign and encrypt messages.
Schema Hierarchy
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior> of <serviceBehaviors>
<serviceCredentials>
<clientCertificate> of <serviceCredentials>
<certificate> of <clientCertificate> Element
Syntax
<certificate findValue = "String"
storeLocation = "CurrentUser/LocalMachine"
storeName="AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher"
X509FindType="FindByThumbPrint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier"
/>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements
Attributes
Attribute | Description |
---|---|
findValue |
A string that contains the value to search for in the X.509 certificate store. The type contained in the attribute must satisfy the requirements of the specified X509FindType. The default is an empty string. |
storeLocation |
Specifies the location of the X.509 certificate store that the client uses to validate the server’s certificate against. Valid values include the following:
The default is LocalMachine. |
storeName |
Specifies the name of the X.509 certificate store to open. Valid values include the following:
The default is My. |
X509FindType |
Defines the type of X.509 search to be executed. Valid values include the following:
The type contained in the findValue attribute must satisfy the requirements of the specified X509FindType. The default value is FindBySubjectDistinguishedName. |
Child Elements
None.
Parent Elements
Element | Description |
---|---|
Remarks
The <certificate> element is used when the service must have the client's certificate in advance to communicate securely with the client. This occurs when using the duplex communication pattern. In the more typical request/response pattern, the client includes its certificate in the request, which the service uses to encrypt and sign its response back to the client. In the duplex communication pattern, however, the service does not have a request from the client and therefore it needs the client's certificate in advance to secure the message to the client. Therefore you must obtain the client's certificate in an out-of-band negotiation, and specify the certificate using this element. For more information about duplex services, see How to: Create a Duplex Contract.
Example
The following code specifies how to find an appropriate X.509 certificate and a custom validation type in the <authentication> element.
<serviceBehaviors>
<behavior name="myServiceBehavior">
<clientCertificate>
<certificate
findValue="www.cohowinery.com"
storeLocation="CurrentUser"
storeName="TrustedPeople"
x509FindType="FindByIssuerName" />
<authentication customCertificateValidatorType="MyTypes.Coho"
certificateValidationMode="Custom"
revocationMode="Offline"
includeWindowsGroups="false"
mapClientCertificateToWindowsAccount="true" />
</clientCertificate>
</behavior>
</serviceBehaviors>
See Also
Reference
Certificate
Certificate
X509ClientCertificateCredentialsElement
Other Resources
Security Behaviors in WCF
How To: Create a Service Employing a Custom Certificate Validator
Working with Certificates
© 2007 Microsoft Corporation. All rights reserved.
Last Published: 2010-01-05