How to: Configure a Port with an SSL Certificate - WCF (2024)

Table of Contents
In this article Determine how ports are configured Get a certificate's thumbprint Bind an SSL certificate to a port number Bind an SSL certificate to a port number and support client certificates Delete an SSL certificate from a port number Example See also FAQs
  • Article

When creating a self-hosted Windows Communication Foundation (WCF) service with the WSHttpBinding class that uses transport security, you must also configure a port with an X.509 certificate. If you are not creating a self-hosted service, you can host your service on Internet Information Services (IIS). For more information, see HTTP Transport Security.

To configure a port, the tool you use depends on the operating system that is running on your machine.

If you are running Windows Server 2003, use the HttpCfg.exe tool. On Windows Server 2003, this tool is installed. For more information, see Httpcfg Overview. The Windows Support Tools documentation explains the syntax for the Httpcfg.exe tool.

If you are running Windows Vista, use the Netsh.exe tool that is already installed.

Determine how ports are configured

  1. In Windows Server 2003 or Windows XP, use the HttpCfg.exe tool to view the current port configuration, using the query and ssl switches, as shown in the following example.

    httpcfg query ssl

  2. In Windows Vista, use the Netsh.exe tool to view the current port configuration, as shown in the following example.

    netsh http show sslcert

Get a certificate's thumbprint

  1. Use the Certificates MMC snap-in to find an X.509 certificate that has an intended purpose of client authentication. For more information, see How to: View Certificates with the MMC Snap-in.

  2. Access the certificate's thumbprint. For more information, see How to: Retrieve the Thumbprint of a Certificate.

  3. Copy the thumbprint of the certificate into a text editor, such as Notepad.

    See Also
    Installing an SSL Certificate on a Windows Server - IONOS Help

  4. Remove all spaces between the hexadecimal characters. One way to accomplish this is to use the text editor's find-and-replace feature and replace each space with a null character.

Bind an SSL certificate to a port number

  1. In Windows Server 2003 or Windows XP, use the HttpCfg.exe tool in "set" mode on the Secure Sockets Layer (SSL) store to bind the certificate to a port number. The tool uses the thumbprint to identify the certificate, as shown in the following example.

    httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6

    • The -i switch has the syntax of IP:port and instructs the tool to set the certificate to port 8012 of the computer. Optionally, the four zeroes that precede the number can also be replaced by the actual IP address of the computer.

    • The -h switch specifies the thumbprint of the certificate.

  2. In Windows Vista, use the Netsh.exe tool, as shown in the following example.

    netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}

    • The certhash parameter specifies the thumbprint of the certificate.

    • The ipport parameter specifies the IP address and port, and functions just like the -i switch of the Httpcfg.exe tool described.

    • The appid parameter is a GUID that can be used to identify the owning application.

Bind an SSL certificate to a port number and support client certificates

  1. In Windows Server 2003 or Windows XP, to support clients that authenticate with X.509 certificates at the transport layer, follow the preceding procedure but pass an additional command-line parameter to HttpCfg.exe, as shown in the following example.

    httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6 -f 2

    The -f switch has the syntax of n where n is a number between 1 and 7. A value of 2, as shown in the preceding example, enables client certificates at the transport layer. A value of 3 enables client certificates and maps those certificates to a Windows account. See HttpCfg.exe Help for the behavior of other values.

  2. In Windows Vista, to support clients that authenticate with X.509 certificates at the transport layer, follow the preceding procedure, but with an additional parameter, as shown in the following example.

    netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF} clientcertnegotiation=enable

Delete an SSL certificate from a port number

  1. Use the HttpCfg.exe or Netsh.exe tool to see the ports and thumbprints of all bindings on the computer. To print the information to disk, use the redirection character ">", as shown in the following example.

    httpcfg query ssl>myMachinePorts.txt

  2. In Windows Server 2003 or Windows XP, use the HttpCfg.exe tool with the delete and ssl keywords. Use the -i switch to specify the IP:port number, and the -h switch to specify the thumbprint.

    httpcfg delete ssl -i 0.0.0.0:8005 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6

  3. In Windows Vista, use the Netsh.exe tool, as shown in the following example.

    Netsh http delete sslcert ipport=0.0.0.0:8005

Example

The following code shows how to create a self-hosted service using the WSHttpBinding class set to transport security. When creating an application, specify the port number in the address.

// This string uses a function to prepend the computer name at run time.string addressHttp = String.Format( "http://{0}:8080/Calculator", System.Net.Dns.GetHostEntry("").HostName);WSHttpBinding b = new WSHttpBinding();b.Security.Mode = SecurityMode.Transport;b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;// You must create an array of URI objects to have a base address.Uri a = new Uri(addressHttp);Uri[] baseAddresses = new Uri[] { a };// Create the ServiceHost. The service type (Calculator) is not// shown here.ServiceHost sh = new ServiceHost(typeof(Calculator), baseAddresses);// Add an endpoint to the service. Insert the thumbprint of an X.509// certificate found on your computer.Type c = typeof(ICalculator);sh.AddServiceEndpoint(c, b, "MyCalculator");sh.Credentials.ServiceCertificate.SetCertificate( StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "contoso.com");// This next line is optional. It specifies that the client's certificate// does not have to be issued by a trusted authority, but can be issued// by a peer if it is in the Trusted People store. Do not use this setting// for production code. The default is PeerTrust, which specifies that// the certificate must originate from a trusted certificate authority.// sh.Credentials.ClientCertificate.Authentication.CertificateValidationMode =// X509CertificateValidationMode.PeerOrChainTrust;try{ sh.Open(); string address = sh.Description.Endpoints[0].ListenUri.AbsoluteUri; Console.WriteLine("Listening @ {0}", address); Console.WriteLine("Press enter to close the service"); Console.ReadLine(); sh.Close();}catch (CommunicationException ce){ Console.WriteLine("A communication error occurred: {0}", ce.Message); Console.WriteLine();}catch (System.Exception exc){ Console.WriteLine("An unforeseen error occurred: {0}", exc.Message); Console.ReadLine();}
' This string uses a function to prepend the computer name at run time.Dim addressHttp As String = String.Format("http://{0}:8080/Calculator", _System.Net.Dns.GetHostEntry("").HostName)Dim b As New WSHttpBinding()b.Security.Mode = SecurityMode.Transportb.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate' You must create an array of URI objects to have a base address.Dim a As New Uri(addressHttp)Dim baseAddresses() As Uri = {a}' Create the ServiceHost. The service type (Calculator) is not' shown here.Dim sh As New ServiceHost(GetType(Calculator), baseAddresses)' Add an endpoint to the service. Insert the thumbprint of an X.509 ' certificate found on your computer. Dim c As Type = GetType(ICalculator)sh.AddServiceEndpoint(c, b, "MyCalculator")sh.Credentials.ServiceCertificate.SetCertificate( _ StoreLocation.LocalMachine, _ StoreName.My, _ X509FindType.FindBySubjectName, _ "contoso.com")' This next line is optional. It specifies that the client's certificate' does not have to be issued by a trusted authority, but can be issued' by a peer if it is in the Trusted People store. Do not use this setting' for production code. The default is PeerTrust, which specifies that ' the certificate must originate from a trusted certificate authority.' sh.Credentials.ClientCertificate.Authentication.CertificateValidationMode =' X509CertificateValidationMode.PeerOrChainTrustTry sh.Open() Dim address As String = sh.Description.Endpoints(0).ListenUri.AbsoluteUri Console.WriteLine("Listening @ {0}", address) Console.WriteLine("Press enter to close the service") Console.ReadLine() sh.Close()Catch ce As CommunicationException Console.WriteLine("A communication error occurred: {0}", ce.Message) Console.WriteLine()Catch exc As System.Exception Console.WriteLine("An unforeseen error occurred: {0}", exc.Message) Console.ReadLine()End Try

See also

  • HTTP Transport Security
How to: Configure a Port with an SSL Certificate - WCF (2024)

FAQs

How to apply an SSL certificate to a port? ›

Binding a Certificate to a Port
  1. In Windows, open the Command Prompt window.
  2. At the command prompt, enter a command that resembles the following: netsh http add sslcert ipport=0.0.0.0:1234 certhash=e8642dc5138c14082ca62391b75415b22e47ab04 appid={8722cd6c-33b4-4a90-a7ab-a2a51a3e7b16} ...
  3. Press Enter to run the command.

Read On
How to connect to a port using SSL? ›

Use Cases
  1. In the command line, enter openssl s_client -connect <hostname> : <port> . This opens an SSL connection to the specified hostname and port and prints the SSL certificate.
  2. Check the availability of the domain from the connection results. The following table includes some commonly used s_client commands.

Discover More Details
How do I enable SSL ports? ›

Enabling SSL Port on Windows Firewall
  1. Start > Settings > Control Panel.
  2. Click the Windows Firewall icon. A window appears.
  3. Click the Exceptions tab.
  4. Click the Add Port button. A window appears.
  5. Enter the name in Name field.
  6. Enter the Administration Server's port number in Port field.
  7. Select the TCP option.
  8. Click the OK button.

Continue Reading
How to configure WCF for HTTPS? ›

Configuring WCF to use Workflow designer under both HTTP and HTTPS
  1. Open the Workflow web. config file located in ~/CMSModules/Workflows.
  2. Create a binding based on WebHttpBinding in the <system. serviceModel> - <bindings> section. ...
  3. Add both HTTP and HTTPS endpoints into the <service name="CMS. WebServices. ...
  4. Save the web.

See Details
Are SSL certificates port specific? ›

The certificate doesn't care about the port number. You can use the certificate on every port at once. Just make sure your software is reloaded when you renew the certificate.

Find Out More
Which port to use for SSL? ›

So, what port does TLS/SSL use? The TLS/SSL port is 443, HTTPS, and employs TLS/SSL certificates to safeguard port communications. HTTP is the unsecure protocol port (port 80).

Tell Me More
How do I know if a port is open for SSL? ›

OpenSSL's s_client command can be used to analyze client-server communication, including whether a port is open and if that port is capable of accepting an SSL/TLS connection. It is a useful tool for investigating SSL/TLS certificate-based plugins, and for confirming that a line of secure communications is available.

Show Me More
Is SSL always on port 443? ›

SSL/TLS does not itself use any port — HTTPS uses port 443. That might sound kind of snooty, but there's an important distinction to be made there. Think of SSL/TLS as more of a facilitator. It enables other protocols, like HTTPS or DNS over TLS.

Explore More
How do I allow a port to connect? ›

How to open a port on the firewall
  1. Click on Start then on Control Panel.
  2. Click on Windows Firewall and then click on Advanced Settings.
  3. Right click on Inbound Rules then on New Rule:
  4. Select Port and click on Next:
  5. Enter a specific local port (e.g. 8080) and click on Next:
  6. Click on Next:
  7. Name the rule and click on Finish:
Jun 16, 2023

Continue Reading
How do I setup an SSL connection? ›

How an SSL connection is established
  1. The client sends a request to the server for a secure session. ...
  2. The client receives the server's X. ...
  3. The client authenticates the server, using a list of known certificate authorities.
  4. The client generates a random symmetric key and encrypts it using server's public key.

Show Me More

How do I activate my SSL certificate? ›

How to activate your SSL certificate:
  1. Go to the Websites & Domains tab of the Plesk admin control panel.
  2. In the section for the domain name you want to use, click Hosting Settings.
  3. In the Security section, select SSL support.
  4. Select the Certificate you created, and then click OK.

Read The Full Story
Can port 8080 be used for HTTPS? ›

Port 8080 has 80 in it, which means "HTTP". It should NOT be serving HTTPS, that breaks conventions.

See Details
How do I make my WCF service secure? ›

Specifying the Client Credential Type and Credential Value

Using SSL over HTTP (HTTPS), a service authenticates itself to the client. As part of this authentication, the service's certificate is sent to the client in a process called negotiation. The SSL-secured transport ensures that all messages are confidential.

Get More Info Here
Is WCF based on HTTP? ›

WCF services and clients can communicate over HTTP and HTTPS. The HTTP/HTTPS settings are configured by using Internet Information Services (IIS) or through the use of a command-line tool.

Continue Reading
How do I call a WCF service from a URL? ›

With the service running, right click the project that will contain the WCF client proxy and select Add > Service Reference. In the Add Service Reference Dialog, type in the URL to the service you want to call and click the Go button. The dialog will display a list of services available at the address you specify.

View More
How do I apply for an SSL certificate? ›

Log into your cPanel admin. From the cPanel home page, go to Security section, and then click SSL/TLS. Under Certificate Signing Requests (CSR), click Generate, view, or delete SSL certificate signing requests. Complete the fields in the Generate a New Certificate Signing Request (CSR) section.

View Details
How do I deploy an SSL certificate? ›

Generate a Certificate Signing Request (CSR).
  1. Login to cPanel.
  2. Click SSL/TLS in the "Security" section.
  3. Click the Generate, view, upload, or delete your private keys links.
  4. Scroll down to the “Generate a New Key” section. ...
  5. Click “Return to SSL Manager”. ...
  6. Enter your organization's information. ...
  7. Click the Generate button.
May 10, 2024

See More
How to install SSL certificate using SSH? ›

I. Apache: Creating Your CSR with OpenSSL
  1. Log in to your server via your terminal client (ssh).
  2. Run Command. At the prompt, type the following command: ...
  3. Generate Files. You've now started the process for generating the following two files: ...
  4. Order Your SSL/TLS Certificate. ...
  5. Save Private Key. ...
  6. Install Certificate.

Learn More
How do I link an SSL certificate? ›

How to add an SSL to your website
  1. Common name. The fully-qualified domain name, or URL, you want to secure. ...
  2. Organization. The legally registered name for your business. ...
  3. City/Locality. ...
  4. State/Province. ...
  5. Country. ...
  6. Generating your CSR. ...
  7. Request your SSL. ...
  8. Verify your SSL request.
Jan 31, 2024

Discover More Details
Top Articles
Ten Things to Remember When Writing Recommendation Letter
Port Checker
Ohio Houses With Land for Sale - 1,591 Properties
Umbc Baseball Camp
Kansas City Kansas Public Schools Educational Audiology Externship in Kansas City, KS for KCK public Schools
Don Wallence Auto Sales Vehicles
Brgeneral Patient Portal
Undergraduate Programs | Webster Vienna
Konkurrenz für Kioske: 7-Eleven will Minisupermärkte in Deutschland etablieren
Craigslist Kennewick Pasco Richland
Routing Number 041203824
Optum Medicare Support
ds. J.C. van Trigt - Lukas 23:42-43 - Preekaantekeningen
Ogeechee Tech Blackboard
Www.paystubportal.com/7-11 Login
Tokioof
Magicseaweed Capitola
Nutrislice Menus
Gdp E124
All Obituaries | Buie's Funeral Home | Raeford NC funeral home and cremation
Craigslist Maui Garage Sale
Kayky Fifa 22 Potential
Dr Ayad Alsaadi
12 Top-Rated Things to Do in Muskegon, MI
Jenna Ortega’s Height, Age, Net Worth & Biography
Prey For The Devil Showtimes Near Ontario Luxe Reel Theatre
D2L Brightspace Clc
UCLA Study Abroad | International Education Office
Culver's.comsummerofsmiles
Bend Missed Connections
Miller Plonka Obituaries
Ringcentral Background
Datingscout Wantmatures
R/Orangetheory
Average weekly earnings in Great Britain
Pnc Bank Routing Number Cincinnati
Slv Fed Routing Number
Www Craigslist Com Shreveport Louisiana
Chs.mywork
Edict Of Force Poe
Page 5662 – Christianity Today
Discover Wisconsin Season 16
303-615-0055
Canvas Elms Umd
Premiumbukkake Tour
Clock Batteries Perhaps Crossword Clue
Madden 23 Can't Hire Offensive Coordinator
Minute Clinic Mooresville Nc
Wild Fork Foods Login
Maurices Thanks Crossword Clue
Latest Posts
Understanding Freight Forwarding: A Comprehensive Guide
Fix issues with Google Account third-party connections
Article information

Author: Kieth Sipes

Last Updated:

Views: 6283

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Kieth Sipes

Birthday: 2001-04-14

Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271

Phone: +9663362133320

Job: District Sales Analyst

Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing

Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.