WCF Certificate Authentication without installing on the Client

Question

Our setup includes a WCF service and a number of clients written by us. Some of the clients include Silverlight applications, whereas others include Web and Windows applications.

I (think) I would like to authenticate clients based on X.509 certificates. Typically you would install a private key on the client to encrypt (aka digitaly sign) the messages. The server can the use the clients public key to de-crypt it to ensure the message has not been changed and prove the message is from who we expect (aka authenticated).

I dont want to install a certificate on a client machine. Its a hassel to deploy, and we cant really ask our clients to do it. I was speaking to someone the other day who sugested embeding the cert in a client assembly, reading it and using that. Is that possible?

It would be great if someone could point me to an example.

Thanks in advance,

David

Answer 1

Yes, you can load X509certificate2 by passing a certificate byte array with a password like

var certificate = new X509Certificate2(theByteArrary, "password");

To get the certificate byte array, you can simply copy paste the contents in .pfx file, which is a combination of .cer (public key) and .pvk (private key)

and then you can load this certificate on your client by doing:

var channelFactory = new ChannelFactory<IYourService>();
channelFactory.Credentials.ClientCertificate.Certificate = 
                                         clientCertificate;

If you use auto-generated client proxy, or you prefer configure the certificate via .config file then you might want to have a look at this from codeproject

Answer 2

Here is a suggestion. Could also be tweaked to use an embedded certificate.

http://www.codeproject.com/KB/WCF/wcfcertificates.aspx