I'm trying to configure a WCF client to use a certificate to communicate securely with a server. When the certificate is located in the CurrentUser certificate store, everything works fine. I can use Wireshark to see that the handshake takes place, and client/server communication works as expected.
When I use the same certificate from the LocalMachine certificate store, I get the error Could not establish secure channel for SSL/TLS with authority. Is there anything special I need to consider when using the LocalMachine certificate store?
This works:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="endpointCredentialBehavior">
<clientCredentials>
<clientCertificate findValue="certTest"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<system.serviceModel>
This does not:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="endpointCredentialBehavior">
<clientCredentials>
<clientCertificate findValue="certTest"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<system.serviceModel>
The certificate is signed and the CA certificate is placed in the Trusted Root Certification Athorities store of both the CurrentUser and the LocalMachine certificate stores.
So, it turned out that when the certificate was added to the LocalMachine certificate store, the certificate was added by an administrator account. But when the WCF client ran, the client ran as a regular user. The account of the regular user did not have access to the private key of the certificate. In order to complete the TLS handshake the user had to be given access to the private key.
To give other users access to a private key, right click the certificate in the certificate manager then choose: All tasks -> Manage Private Keys... You will only see the option to "Manage Private Keys..." for a certificate that has an associated private key.