locked
WCF Message security using certificates RRS feed

  • Question

  •  Hello,
     
    I am trying to implement message security in our WCF services for mutual authentication and authorization. This service will be consumed by the business partners. All microsoft documentation suggests that we need to acquire server certificate which will be installed in the local store of our server and client certificate which will be installed in the client's local store.

    All test applications work fine using the temporary certificates created using makecert.exe utility but now the question is what type of certificate we need to acquire from verisign or microsoft certificate service to replicate the same functionality in production environment.

    Questions

    1. What type of certificates we need to acquire from Certification Authority for server and for the application running on the client side? As we would like to provide client with the certificate which will be installed in their local store.

    2. What is best approach for validating the client certificate?

    3. Is it a good practice to apply both Transport level and message level security? I believe implementing transport level security is comparatively easy because I have done that on our websites hosted on IIS.

    3. Can we generate client certificates on our own once we acquire server certificate?

    I would really appreciate quick response to these questions as this is becoming a matter of urgency for the project we are working on.

    Thanks & Regards,
    Bunty
    Thursday, February 5, 2009 10:24 PM

Answers

  • Hi Bunty,

    1. The certificates I've used for these purposes are Server Authentication certificates and Client Authentication certificates for the client and server, respectively.

    If you want to test out using "real" certificates without using an external certification authority, it's possible to use a Windows Server machine to generate these types of certificates for testing (install the Certificate Authority role). The machine needs to be on a domain though in order to act as a certificate authority (CA). The details on how to do this would be outside of the scope of this forum though.

    2. I'm not sure what you mean by "validating" the client certificate. Presumably the server and the client will both have a trust hierarchy leading up to the same certificate authority?

    3. It really depends on the security requirements of your system that would determine whether or not you want to implement each type of security. For example, if you're communicating over a secure internal network, it may be sufficient to turn on just Message security, but if you're going to be communicating over the internet, you may want to use Transport security to ensure that the data stream itself is secure from prying eyes. I think this is an architectural decision that is probably well out of the scope of what I can answer on the forums (but I'll try :))

    4. I'm almost certain that acquiring a server certificate from a CA does not mean you can generate your own client certificates. Each client needs to be trusted independently by the Certificate Authority and it's unlikely that having a trusted server confers the right for you to generate your own clients certs using the same root CA. Again, if this is an internal production environment, you may be able to make your own cert authority and ensure that all your clients trust this CA by deploying this over Group Policy.

    Just as further guidance, I would highly suggest the "Improving Web Services Security" guide on CodePlex at http://www.codeplex.com/WCFSecurityGuide. This guide provides a good overview of WCF security and goes through many scenarios that might apply to your environment.

    Hope this helps!
    --Jason
    • Marked as answer by edhickey Thursday, February 12, 2009 12:50 AM
    Friday, February 6, 2009 10:44 PM