using Self-Signed SSL certificate with WCF ws2007FederationBinding

I'm at my wit's end, and I'm hoping you can help me. I'm trying to get active WS-Trust authentication going with WIF from a web application to a web service, using a self-signed certificate.

I've already tried the following:

1) Install certificate in machine certificate store under Trusted Root Certification Authorities, Personal, and Trusted People

2) Make sure 'Everyone' has full access to Crypto/RSA/MachineKeys folder

3) Override certificate validation with ServicePointManager.ServerCertificateValidationCallback, to a method that just returns true. I can debug into this method and watch it return true.

And I STILL see this in the System.ServiceModel trace:

[0832] SecureChannel#66940002 - Certificate name mismatch.

[0832] SecureChannel#66940002 - Remote certificate was verified as invalid by the user.

And the appli开发者_运维技巧cation blows up with: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

That's because the ServerCertificateValidationCallback only does the SSL related part of the certificate verification.

So if it's still broken, this means there not only SSL at play here.

In fact WS-Trust is build on top of WS-Security and WS-Security does a signature of the headers of your message,. And the verification of that signature is not impacted by ServerCertificateValidationCallback.

You certainly have a second certificate signing the WS Security headers of your message.

There's a different piece of code that verifies if the name of that certificates matches the value in the identity node of the endpoint settings, as below :

<endpoint address="..." 
    <identity>
      <dns value="PUT CN OF THE MESSAGE SIGNATURE CERTIFICATE HERE" />
    </identity>
</endpoint>

If in addition the message signature certificate doesn't validate, you can disable it's validation by modifying "behaviors/endpointBehaviors/behavior/clientCredentials/serviceCertificate/authentication". You set the certificateValidationMode attribute there to "None".

Or you set it to Custom, and will have then to implement your own validator, that derives from System.IdentityModel.Selectors.X509CertificateValidator and overrides the Validate callback.