locked
What's the purpose of ServiceSertificate? RRS feed

  • Question

  • Here is a code snippet that shows how we create https service:

    var address = new Uri($"https://localhost:443/MyApp/MyService");
    var binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential);
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
    binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
    binding.Security.Message.NegotiateServiceCredential = false;
    binding.Security.Message.EstablishSecurityContext = false;
    
    var endpoint = host.AddServiceEndpoint(serviceContract, binding, address);
    host.Credentials.ServiceCertificate.Certificate = certificate;
    

    On the client I specify the following certificates:

    channelFactory.Credentials.ClientCertificate.Certificate = ServiceFactory.ClientCertificate;
    channelFactory.Credentials.ServiceCertificate.DefaultCertificate = _serverCertificate;
    

    ClientCertificate actually works, but I found that ServerSertificate does not seem to influence the connection at all. I can set any certificates on the server and client, they do not need to match each other and even if I do not set a server certificate, the connection will still work. How can I ensure that server certificate will work? What is it for anyway?

    Thursday, November 5, 2020 3:23 PM

Answers

  • I found the problem. In order for the service certificate to be used, the binding must work in SecurityMode.Message mode. When I use  SecurityMode.TransportWithMessageCredential, it uses Ssl certificate validation.

    var binding = new WSHttpBinding(SecurityMode.Message);
    

    Also client code should use EndpointAddress with X509CertificateEndpointIdentity validation. Then the channel will use both - client and server certificate for encryption and validation.

    Friday, November 6, 2020 1:38 PM