Preventing Duplication of the x509 Certificate Used on a WCF Client?

StackOverflow https://stackoverflow.com/questions/3411398

  •  25-09-2019
  •  | 
  •  

Question

I have a WPF and WCF app that requires to install the certificate (.pfx) on the client side to enable WPF calling the WCF service.

Now how can I prevent the client to export the certificate from his certificate store (so that he won't be able to grab the .pfx file and install it on another client computer)?

Was it helpful?

Solution

Generate Certs for WCF

  1. Generate a Certificate Authority Cert

makecert -r -pe -n "CN=MyCA" -ss my -sr localMachine MyRootPublicCert.cer

-r Create a self signed -pe Mark generated private key as exportable -ss Subjects certificate store names that stores the output certificate -sr Subjects certificate store location

The file pops up in the personal certs store of the machine you generate the cert from.

This is the file you will need to import into your server/client as a trusted root authority (rt click on the .cer file you created and install certificate, put it into Trusted root certification authorities)

  1. Generate Server Cert

You need to export the cert with the private key inside in order to use it on the server, so from the machine you created the CA cert on open mmc, certificates add-on, Personal, click on cert, >> rt click >> all tasks >> export >> select yes, export the private key >> select .PFX >> choose a password >> name this file something like NamePrivateKeyCert.pfx

Install this cert into the Personal Store of the server machine and use it to host the service.

  1. Create Client Cert

Create server certificate from CA machine. This will generate a cert file with the private key embedded:

makecert -a sha1 -n "CN=ClientCert" -sky exchange -pe -ss My -sr LocalMachine -in "TestCA" -is my -ir localMachine TestPublicCert.cer

Take this cer file and install it on the client machine in the Trusted People store

  1. Recap

    Create a CA cert (or use the one you already have if you purchased one) From the CA export a .pfx file that is password protected (Private Cert) Create a Public Cert from the CA cert (Public Cert)

    Then

    Install the CA CA.cer into the Trusted Root Cert Authorities store on Client and Server Install the Private.pfx file into the Personal store of the server Install the Public.cer into the trusted people store of the client

    Ready to go.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top