Fixing SSL/TLS Certificate Issues in WCF API Calls with Client Certificates

Описание: Learn how to resolve SSL/TLS errors when making API calls with client certificates from a WCF service in IIS, focusing on trust and certificate validation issues.
---
This video is based on the question https://stackoverflow.com/q/79513945/ asked by the user 'BummzuaBua' ( https://stackoverflow.com/u/11583274/ ) and on the answer https://stackoverflow.com/a/79520649/ provided by the user 'BummzuaBua' ( https://stackoverflow.com/u/11583274/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: API call with certificate over webservice isn't working

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to drop me a comment under this video.
---
Introduction

When making an API call from a WCF web service that requires a client certificate, you might encounter errors like Could not create SSL/TLS secure channel or Authentication failed because the remote party has closed the transport stream. These errors often don't occur when calling the same API from a desktop test app.

This guide explains why this happens and how to fix it.



The Problem

Your WCF service is running in IIS under a specific application pool and service user. When this service attempts a POST request to an API endpoint using a client certificate:

The call fails with SSL/TLS errors.

The certificate is not transmitted as expected.

The same call from a WinForms test app works correctly.

In short, the WCF-hosted environment is not properly trusting the server or handling the certificate chain.



Root Cause Analysis

Trust Issues with Server Certificate

The primary cause is that the WCF service does not trust the server's SSL certificate.

The server certificate chain is not recognized or is incomplete in the context of the IIS application pool's user.

The service user’s certificate stores (especially Trusted Root Certification Authorities) lack the required root certificate.

This leads to handshake failures and dropped connections.

Differences in Execution Context

The test app runs under your Windows user profile, which likely has the appropriate root CA certificates installed and trusted.

The IIS service user’s certificate stores may be missing these certificates.



How to Verify the Issue

Use Fiddler or a similar tool to inspect the HTTPS traffic.

If the server certificate validation fails, it confirms a trust problem.

You can temporarily override certificate validation in your code:

[[See Video to Reveal this Text or Code Snippet]]

Warning: This disables SSL validation and must never be used in production.

If this workaround makes the call succeed, the cause is definitely certificate trust.



Fixing the Problem

1. Install the Root CA Certificate

Obtain the root (and any intermediate) certificates from the API server's SSL provider.

Install these certificates into the Trusted Root Certification Authorities store for the Local Machine or the service account running the IIS application pool.

This ensures the WCF service trusts the server certificate.

2. Use Proper Certificate Store Access

Ensure your code accesses certificates from the right store, with correct permissions:

[[See Video to Reveal this Text or Code Snippet]]

3. Configure TLS Versions

Ensure your application supports current TLS versions:

[[See Video to Reveal this Text or Code Snippet]]



Summary

To resolve SSL/TLS errors in WCF API calls with client certificates:

Verify and install the root CA certificates trusted by the remote API server on the IIS machine and under the service user.

Avoid disabling SSL validation in production.

Confirm your WCF service process has access to the client certificate.

By carefully managing certificate stores and trust settings, you can ensure secure and error-free HTTPS calls from WCF services hosted in IIS.