WCF service certificate authentication

StackOverflow https://stackoverflow.com/questions/22781415

  •  25-06-2023
  •  | 
  •  

Question

When wcf service will use the certificate, then how the client, which will consume the wcf service will send the certificate to a wcf service. This idea is not clear to me that when wcf client will call wcf service first time, then how the client will send a certificate of service? Please discuss how people work with wcf & certificate.

Also guide me briefly that what are the steps we need to do to attach certificate with our wcf service?

How wcf client can send the certificate to wcf service when they make a call?

Do we need at all anything to configure for the certificate at wcf client end?

One guy told me

When use the certificate authentication in the wcf, then in the serive side and client side, you will need to install the service certificate and the client certificate. Then in the client side, the client will use the service public key to encrypt the message and send to the service, then the service will use the service private key to decrypt the message. And in the service side, it will use the the client public key to encrypt the message and send to the client. Then the client will use the client private key to decrypt the message.

if this is the limitation of certificate authentication that we need to install a certificate on both end, then we can use certificate authentication in very limited case. any tell me how to use certificate authentication when we have no control over the client who will consume the service. when client is unknown they how they can send the certificate to our service.

actually i am trying to know how people manage to implement certificate authentication in real life when they do not have a control over the client who will be using their service. thanks

Was it helpful?

Solution

OK, you're looking for client certificate authentication of your would-be clients, which always includes SSL.

I've got a couple links for you to check out:

http://msdn.microsoft.com/en-us/library/ms731074(v=vs.110).aspx is the official version from MS that has good information, but not necessarily good instructions on getting this working.

and

http://architecturebyashwani.blogspot.de/2010/01/wcf-client-authentication-using-x509.html ... this is a better source in my opinion because it will walk you through the process of setting it up the certificates (self signed) you'll need for testing.

As far as controlling the issuance and certificates to client computers, that can be easy or difficult depending on how many client devices are involved and where they're located.

If you're talking about an internal implementation for server-to-server communication within a network, or perhaps a few PCs connecting to the host, that's not too difficult. In a nutshell, you copy a .PFX file (cert and private key) to the clients and host and set them up in the cert store (Like LocalComputer\Trusted, for instance). Then you set up the client and host WCF software to a) access the certificates and b) make get the host to deny access to non-authenticated users.

However, if you're talking about issuing and managing certificates for a thousand people walking around with iPhones, Androids and Laptops, that's a much more difficult proposition to control.

Here's a link, though, on setting up an internal certificate authority: http://technet.microsoft.com/en-us/library/ff849263(v=ws.10).aspx

Added: This DOS scripting will create client auth certs, package them as a PFX and install them into a certificate store on the host.

On the host side you do this: 

 rem Comment -- creates client authentication cert, puts it in the currentuser\root authority and signs it based on the other certificate
 makecert.exe  -n cn=ClientAuthCert ClientAuthCert.cer -is root -sky exchange -pe -sv ClientAuthCert.pvk -eku 1.3.6.1.5.5.7.3.2

 rem Comment -- make the pfx file that will allow you to copy certs around with private keys
 pvk2pfx -pvk ClientAuthCert.pvk -spc ClientAuthCert.cer -pfx ClientAuthCert.pfx -f

 rem Comment -- installs the certificate on the host in the localmachine / trusted people store
 certmgr.exe -add ClientAuthCert.cer  -c -s -r LocalMachine TrustedPeople

On the client side, you do this (after copying the .CER and .PFX files over to the client machine):

 rem comment -- these lines install the certificates in the stores on the client device
 certmgr.exe -add ClientAuthCert.cer  -c -s -r LocalMachine TrustedPeople
 Certmgr.exe -add ClientAuthCert.pfx  -c -s -r CurrentUser My
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top