none
Question about certificates RRS feed

  • Question

  • hi

    1) "Certificates can be used for transport or message-level security. A commonly used transport-level encryption option, SSL, is applied to the transport by using a certificate on the server."

    I realize that in lots of cases when client wants to establish a SSL connection with a server, that it is the server which needs to provide a certificate.

    But isn't the reverse also possible? Meaning when client tries to establish a connection with a server, that   SSL requires a client to provide a certificate, but it doesn't require a server to provide one?

     

    2) "The primary disadvantages of certificates are the expense of acquiring them for production from a third-party authority and the complexity associated with provisioning them."

    What is meant by "provisioning them"?

    thank you

    Tuesday, November 23, 2010 11:45 PM

Answers

  • Klem,

    1) When setting up SSL on a web server you can require the client provide a certificate, but SSL requires a certificate on the web server. Could you explain a scenario where you would want to have a SSL connection with only the client is required to provide a certificate?

    2) Can you let me know where you found that quote? If it's in our docs we need to fix that.  Provisioning the certificates means installing the certificates on the appropriate machines, making sure they are in the correct location, giving applications rights to access the certificate (and associated private key), renewing the certificate when needed, etc.

    I hope this is helpful,

    Michael Green
    WCF Documentation Team.

    • Marked as answer by Bin-ze Zhao Tuesday, November 30, 2010 9:25 AM
    Wednesday, November 24, 2010 1:00 AM
  • Hi Klem,

    In order to configure SSL the server must provide a certificate that is simply how SSL works. You can find more information on configuring SSL here: http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/ And you can find more information about how SSL works here: http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

    I don't understand your question about how SSL "knows" which side is which. When you configure SSL on the server you need to specify a server certificate. In effect you are telling your web server to use that certificate for responding to requests over HTTPS. SSL can be configured to require a client side certificate or not.  When it is configured to require a client side certificate, it can identify it as a client cert because it is sent to the server by the client. I feel I may have misunderstood your question if I have please let me know.

    The quote you posted from Essential WCF, isn't incorrect, but not everyone will know what it means to "provision" certificates and if it were in our docs, I would want to explain what "provisioning" means, that's all.

    I hope this information helps,

    Michael Green
    WCF Documentation Team

     

     

     

    • Marked as answer by KlemS100 Thursday, December 9, 2010 6:56 PM
    Monday, November 29, 2010 10:48 PM

All replies

  • Klem,

    1) When setting up SSL on a web server you can require the client provide a certificate, but SSL requires a certificate on the web server. Could you explain a scenario where you would want to have a SSL connection with only the client is required to provide a certificate?

    2) Can you let me know where you found that quote? If it's in our docs we need to fix that.  Provisioning the certificates means installing the certificates on the appropriate machines, making sure they are in the correct location, giving applications rights to access the certificate (and associated private key), renewing the certificate when needed, etc.

    I hope this is helpful,

    Michael Green
    WCF Documentation Team.

    • Marked as answer by Bin-ze Zhao Tuesday, November 30, 2010 9:25 AM
    Wednesday, November 24, 2010 1:00 AM
  • hi

     

    "1) When setting up SSL on a web server you can require the client provide a certificate, but SSL requires a certificate on the web server. Could you explain a scenario where you would want to have a SSL connection with only the client is required to provide a certificate?"

     

    * I'm new at this, so I'm not quite able to come up with an example.

     

    * May I ask why such scenario would not be usefull and as such is not supported?

     

    * Anyhow, I know it's a stupid question, but how does SSL "know" which side is a client and which side is a server?

     

    "2) Can you let me know where you found that quote? If it's in our docs we need to fix that.  Provisioning the certificates means installing the certificates on the appropriate machines, making sure they are in the correct location, giving applications rights to access the certificate (and associated private key), renewing the certificate when needed, etc."

     

    It's from a book Essential WCF. What exactly is the quote wrong about? Its claim that provisioning the certificates is complex?

    • Marked as answer by Bin-ze Zhao Tuesday, November 30, 2010 9:25 AM
    • Unmarked as answer by KlemS100 Thursday, December 9, 2010 6:56 PM
    Wednesday, November 24, 2010 1:10 AM
  • Hi,

    when you create a wcf service, the service is going to host in iis(for example), this service application will let client to access it and provide available function. when you are trying to create ssl enable servvice, then the service need a certificate to protect its conversation with client on the wire, otherwise, then content will be visible by a middle man on the wire.

    But isn't the reverse also possible? Meaning when client tries to establish a connection with a server, that   SSL requires a client to provide a certificate, but it doesn't require a server to provide one?>>>?

    this is depending on how your client trusts your service. Server can demand client to provide valid certificate to authenticate client, vise versa client can also demand service to provide valid certificate which client trusted.

    For detailed explaination, check the following article:

    http://msdn.microsoft.com/en-us/library/ff648360.aspx

    Thanks

    Binze


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Monday, November 29, 2010 9:24 AM
  • Hi Klem,

    In order to configure SSL the server must provide a certificate that is simply how SSL works. You can find more information on configuring SSL here: http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/ And you can find more information about how SSL works here: http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

    I don't understand your question about how SSL "knows" which side is which. When you configure SSL on the server you need to specify a server certificate. In effect you are telling your web server to use that certificate for responding to requests over HTTPS. SSL can be configured to require a client side certificate or not.  When it is configured to require a client side certificate, it can identify it as a client cert because it is sent to the server by the client. I feel I may have misunderstood your question if I have please let me know.

    The quote you posted from Essential WCF, isn't incorrect, but not everyone will know what it means to "provision" certificates and if it were in our docs, I would want to explain what "provisioning" means, that's all.

    I hope this information helps,

    Michael Green
    WCF Documentation Team

     

     

     

    • Marked as answer by KlemS100 Thursday, December 9, 2010 6:56 PM
    Monday, November 29, 2010 10:48 PM
  • much appreciated
    Thursday, December 9, 2010 6:58 PM