Simple WCF - X509 Certificate

Download winhttpcertcfg - 49.46 KB

Introduction

This article will describe how to create Temporary X509 certificate and to implement X509 Certificate security in WCF service and client. This configuration can be simply done via in config file itself.

Using the Code

Creating X509 Certificate:

makecert.exe this tool will helpful to create X509 certificate. This tool is packed along with Microsoft .Net 2005 SDK and also be downloaded from micosoft site.

Step1: creating the temporary certificate TempCA.cer
Step2: Create SignedByCA.cer which is digitally sign and authorize by TempCA certificate
Step3: Import the certificate TempCA.cer using MMC in to "Trusted Root Certificate Authorities" folder (Localmachine)
Step4: Import the certificate SignedByCA.cer in to the personal folder

step1: makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
step2: makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr localmachine -ss My

step3: Go to Start -> Run -> Type MMC -> File -> Add/Remove Snap-In -> StandAlone Tab -> Add Button -> Certificates -> Computer Account

step4: Import SignedByCA.cer in to Personal Folder

Export Certificate:To export the created certifciate to outside world, it is necessary to export the private key also. Thus it is possible to convert the certificate .cer and .pvk to .pfx (i.e TempCA.cer and TempCA.pvk to TempCA.pfx). Equivalent tool for this conversion is pvk2pfx.exe. This will be available in your <programfile>/Visual Studio 8/Common7/Tools/bin/pvk2pfx.exe

cmd> pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer      
this open wizard which will help to create .pfx file. Then you can distribute the PFX file to client

Access Permission X509 certificate:If WCF services are hosted in IIS or Windows service or so on, based on the hosted environment specific permission to be give for X509 certificate. For ex: if WCF service is hosted in IIS then ASPNET user (XP) permission must be given to the certifciate. Thus, this can be achived using Winhttpcertcfg.exe which will give the permission to specified certificate. Seperate download is available for this tool and also this tool is downloadable along this article itself.

//for grant ASPNET permission to TempCA.cer
cmd>winhttpcertcfg -g -c LOCAL_MACHINE\MY -s TempCA -a ASPNET

//for grant ASPNET permission to TEMPCA.pfx
cmd>winhttpcertcfg -i TempCA.pfx -g -c LOCAL_MACHINE\My -s TempCA -a ASPNET

WCF Server Config:

Configure the WCF service to support X509 certificate as one of the security process. possible to configure the client level certificate authority in the server config file itself. Thus at the time of creating proxy class using svcutil.exe config file will be generated with certificate information (token).

//web.config
<configuration>
<system.serviceModel>  
<service name="service1" behaviorConfiguration="beh1">
         <endpoint address="secure" contract="Icontract1" binding="wsHttpBinding" bindingConfiguration="binding1"></endpoint>
         <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
<behaviors>
    <serviceBehaviors>
         <behavior name="beh1">
              <serviceDebug includeExceptionDetailInFaults="true"/>
              <serviceMetadata httpGetEnabled="true"/>
              <serviceCredentials>
                <!--certificate storage path in the server -->
                <serviceCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine"  storeName="My"/>
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>
                <!--certificate storage path in the client -->
                <clientCertificate>
                  <certificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                </clientCertificate>                
                <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>
              </serviceCredentials>
         </behavior>
     </serviceBehaviors>
     <endpointBehaviors>
        <behavior name="beh1">
          <clientCredentials>
            <!--certificate storage path in the client -->
            <clientCertificate findValue="TempCA" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My"/>
            <serviceCertificate>
              <authentication certificateValidationMode="PeerOrChainTrust"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
</behaviors>
<bindings>
     <wsHttpBinding>
        <binding name="binding1">
          <security mode="Message">
            <!--security mode of certificate -->
            <message establishSecurityContext="false" clientCredentialType="Certificate"/>
          </security>
        </binding>        
      </wsHttpBinding>
</bindings>
</system.serviceModel>
</configuration>

Client Config:(Auto generated using svcutil.exe)

Sample WCF client config file generated using svcutil.exe

<!--app.config-->
    <client>
      <endpoint address="http://localhost/service1/servic1.svc/secure"
        binding="wsHttpBinding" bindingConfiguration="bind1"
        contract="Icontract1" name="WSHttpBinding_Icontract1">
        <identity>
          <certificate encodedValue="AwAAAAEAAAAUAAAAOTDk6LO4LsMQaY+65EgACb==" />
        </identity>
      </endpoint>      
    </client>

After successful implementation of above points, when any request send from client to the server then the message will be digitally signed by the certifciate present in the client and the server