I am currently building Authentication based services which require username and password credentials. I have gone through the WCF Samples posted by Microsoft and their recommendation is to always secure such services using an X.509 certificate. In addition, they also state that even though the samples use self-generated X.509 certificates, this should never be done in a production environment.
We currently sell our software to our customers (we are an ISV). If I build a solution which requires the purchase of X.509 certificates for each of my customers, this could significantly drive up the cost of deploying our software to our customers. Therefore, I was wondering if there is a method of deploying such an authentication based service without the requirement of X.509 certificates. If there is such a solution, please provide details on how to implement it over the current strategy of X.509 certificates.
Would it be a solution to create your own certificates using something like openSSL?
I looked at it very briefly a couple of months ago. There are GUIs for openSSL as well. XCA is one of them. I can't give you more details but it might be worth taking a look at it.
If you also develop the client side then you can generate the cert yourself and use custom validation on the client to make sure it is valid
WCF Security, Performance And Testing Blog
- Marked as answer by Mog Liang Friday, April 09, 2010 5:49 AM