Client endpoint certificate reference, how to find when there's a comma in the distinguished name parts?

2.2k views Asked by At

We are trying to reference a certificate for a client endpoint configuration in our WCF configuration file.

The configuration looks like this:

<client>
    <endpoint address="https://domain.server.com/path/service.asmx"
        binding="basicHttpBinding" bindingConfiguration="TestServiceSoap"
        contract="..." name="...">
        <identity>
            <certificateReference storeName="TrustedPublisher"
                x509FindType="FindBySubjectDistinguishedName"
                findValue="...">....

For a test-certificate, the "Subject" property looks like this:

CN = demo.domain.com
OU = Company
O = Company
L = City
S = County
C = CountryCode

This works, if we provide the following for the findValue attribute above:

CN=demo.domain.com, OU=Company, O=Company, L=City, S=County, C=CountryCode

However, for a certificate we have from a third party, they have added their address as one part of this, so the above list of identifiers looks like this:

CN = demo.domain.com
OU = Company
STREET = Mainstreet 1, Town Center
L = City
S = County
C = CountryCode

Obviously, the comma in the STREET part will not work, as our string now contains "Town Center" as a separate part with no name.

How do we specify that we want to find the certificate using this list of identifiers?

CN=demo.domain.com, OU=Company, O=Company, STREET=Mainstreet 1, Town Center, L=City, S=County, C=CountryCode
                                                              ^-- Argh!
2

There are 2 answers

2
Lasse V. Karlsen On BEST ANSWER

Ok, with more experimentation we managed to find the answer ourselves.

First, to encapsulate values that contains special characters, we need to enclose them in double quotes.

This, however, won't play nice with findName="..." which also uses double quotes, so we changed that to single quotes.

The end result was this:

findName='..., STREET="Mainstreet 1, Town Center", ...'
         ^            ^                         ^     ^
         |            +---- this is needed -----+     |
         |                                            |
         +- and this is needed to use double quotes --+
2
Drew Marsh On

This isn't a direct answer to your question, but you don't really have to put all that detail in there if you don't want to. The CN should suffice unless you REALLY have multiple people with the same CN???

So you just need:

CN=demo.domain.com

In fact you don't even need to use the FindBySubjectDistinguishedName find type. You could just use FindBySubjectName and just put the plain subject name instead:

demo.domain.com