locked
WCF Mutual Authentication - Client Certificate Questions RRS feed

  • Question

  • User88744855 posted

    Regarding mutual authentication and client certificates, I'm a little unclear as to how client machines outside of our network obtain client certificates. After reviewing the following URL http://technet.microsoft.com/en-us/library/ms731899.aspx, Working with Certificates, 3rd party CAs don't issue client certificates. Or is that incorrect?

    We have WCF services hosted in IIS 7.5 on a Win Server 2008 R2 box.

    Additional documentation I have consulted discusses MS certificate services as the means for obtaining client certificates. This makes sense for client machines inside of our network. Our root CA would issue the client certificates to individual machines.

    Would I need to have the root certificate's public key installed in the Trusted Root store and each client certificate's public key installed in the Trusted People store on the box hosting our WCF services? Or, do I only need the public keys from client certificates in the Trusted People store?

    As for client machines outside of our network - In a B2B scenario:

    If our business partner has an instance of MS certificate services available, would I need their root certificate's public key along with the public keys from client certificates tied to machines allowed to use our WCF services? Or just the public keys from client certificates? Those keys would then be configured in the same manor described above?

    If our business partner does NOT have an instance of MS certificate services available, do I need to tell them they need to setup an instance of certificate services and refer to bullet point #1? Or, can certificate services be used to issue client certificates to a machines outside of one's network? If it can, is that the route to take or a security risk?

    Finally, if our business partner is using a product other than MS certificate services to manage enterprise certificates, would I require the same items and configure them the same way as bullet point #1?

    Thanks,

    Friday, April 4, 2014 4:43 AM

Answers