How to use WCF Message Security with external clients

Question

Here's my scenario:

I need to host a WCF web service app that will be consumed by multiple customers. Each customer is responsible for their own client app, and they will be building their client apps with different technologies. It's likely that none of their clients will be .Net (probably will be Java or something else).

I need to implement Message Level Security to abide by their policies (Transport security is not sufficient).

Given the above requirements, I am having a hard time understanding how to implement Message Security in WCF that can be used by clients that I do not control. Everything I've read discusses the scenario where I would be building my own client, and that the client would even be in my network's domain.

If I implement Message Security with Certificate, can I install one certificate on my server and have each client be responsible for installing their own certificates on their servers? Would we then be able to use Message Security by simply sharing the Public Keys?

Answer 1

Basically, what you're saying here in your last paragraph is true. You'd give the subscribers of your WCF service the public key (.cer) file that they'd install and register within the LocalMachine/My store of their client machines.

On the host side, you'd install the cert public key in your LocalMachine/TrustedPeople store and the private key (.pfx or .pvk) in the host LocalMachine/Personal store.

You can vary the location of where you install/registry the public and private keys a bit, but then you'd have to configure your WCF service to find those cert elements on your server. The clients would have to do the same.

This does work. I've done it.

You can automate some of this using a .bat file and the makecert.exe and certmgr.exe DOS commands to ensure everything gets installed in the correct places.