User88744855 posted
Regarding mutual authentication and client certificates, I'm a little unclear as to how client machines outside of our network obtain client certificates. After reviewing the following URL
http://technet.microsoft.com/en-us/library/ms731899.aspx, Working with Certificates, 3rd party CAs don't issue client certificates. Or is that incorrect?
We have WCF services hosted in IIS 7.5 on a Win Server 2008 R2 box.
Additional documentation I have consulted discusses MS certificate services as the means for obtaining client certificates. This makes sense for client machines inside of our network. Our root CA would issue the client certificates to individual machines.
Would I need to have the root certificate's public key installed in the Trusted Root store and each client certificate's public key installed in the Trusted People store on the box hosting our WCF services? Or, do I only need the public keys from client
certificates in the Trusted People store?
As for client machines outside of our network - In a B2B scenario:
If our business partner has an instance of MS certificate services available, would I need their root certificate's public key along with the public keys from client certificates tied to machines allowed to use our WCF services? Or just the public keys from
client certificates? Those keys would then be configured in the same manor described above?
If our business partner does NOT have an instance of MS certificate services available, do I need to tell them they need to setup an instance of certificate services and refer to bullet point #1? Or, can certificate services be used to issue client certificates
to a machines outside of one's network? If it can, is that the route to take or a security risk?
Finally, if our business partner is using a product other than MS certificate services to manage enterprise certificates, would I require the same items and configure them the same way as bullet point #1?
Thanks,
