Click here to Skip to main content
15,860,861 members
Articles / WCF
Article

Simple WCF - X509 Certificate

Rate me:
Please Sign up or sign in to vote.
4.92/5 (23 votes)
28 Apr 2008CPOL2 min read 207.1K   2.2K   74   27
how to create Temporary X509 certificate and also to implement X509 Certificate security in WCF service and client

Introduction

This article will describe how to create Temporary X509 certificate and to implement X509 Certificate security in WCF service and client. This configuration can be simply done via in config file itself.

Using the Code

Creating X509 Certificate:

makecert.exe this tool will helpful to create X509 certificate. This tool is packed along with Microsoft .Net 2005 SDK and also be downloaded from micosoft site.

Step1: creating the temporary certificate TempCA.cer
Step2: Create SignedByCA.cer which is digitally sign and authorize by TempCA certificate
Step3: Import the certificate TempCA.cer using MMC in to "Trusted Root Certificate Authorities" folder (Localmachine)
Step4: Import the certificate SignedByCA.cer in to the personal folder

step1: makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
step2: makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr localmachine -ss My

step3: Go to Start -> Run -> Type MMC -> File -> Add/Remove Snap-In -> StandAlone Tab -> Add Button -> Certificates -> Computer Account

Image 1

step4: Import SignedByCA.cer in to Personal Folder

Image 2


Export Certificate:To export the created certifciate to outside world, it is necessary to export the private key also. Thus it is possible to convert the certificate .cer and .pvk to .pfx (i.e TempCA.cer and TempCA.pvk to TempCA.pfx). Equivalent tool for this conversion is pvk2pfx.exe. This will be available in your <programfile>/Visual Studio 8/Common7/Tools/bin/pvk2pfx.exe

cmd> pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer      
this open wizard which will help to create .pfx file. Then you can distribute the PFX file to client

Access Permission X509 certificate:
If WCF services are hosted in IIS or Windows service or so on, based on the hosted environment specific permission to be give for X509 certificate. For ex: if WCF service is hosted in IIS then ASPNET user (XP) permission must be given to the certifciate. Thus, this can be achived using Winhttpcertcfg.exe which will give the permission to specified certificate. Seperate download is available for this tool and also this tool is downloadable along this article itself.

//for grant ASPNET permission to TempCA.cer
cmd>winhttpcertcfg -g -c LOCAL_MACHINE\MY -s TempCA -a ASPNET

//for grant ASPNET permission to TEMPCA.pfx
cmd>winhttpcertcfg -i TempCA.pfx -g -c LOCAL_MACHINE\My -s TempCA -a ASPNET     
WCF Server Config:

Configure the WCF service to support X509 certificate as one of the security process. possible to configure the client level certificate authority in the server config file itself. Thus at the time of creating proxy class using svcutil.exe config file will be generated with certificate information (token).

XML
//web.config
<configuration>
<system.serviceModel>  
<service name="service1" behaviorConfiguration="beh1">
         <endpoint address="secure" contract="Icontract1" binding="wsHttpBinding" bindingConfiguration="binding1"></endpoint>
         <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
<behaviors>
    <serviceBehaviors>
         <behavior name="beh1">
              <serviceDebug includeExceptionDetailInFaults="true"/>
              <serviceMetadata httpGetEnabled="true"/>
              <serviceCredentials>
                <!--certificate storage path in the server -->
                <serviceCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine"  storeName="My"/>
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>
                <!--certificate storage path in the client -->
                <clientCertificate>
                  <certificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                </clientCertificate>                
                <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>
              </serviceCredentials>
         </behavior>
     </serviceBehaviors>
     <endpointBehaviors>
        <behavior name="beh1">
          <clientCredentials>
            <!--certificate storage path in the client -->
            <clientCertificate findValue="TempCA" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My"/>
            <serviceCertificate>
              <authentication certificateValidationMode="PeerOrChainTrust"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
</behaviors>
<bindings>
     <wsHttpBinding>
        <binding name="binding1">
          <security mode="Message">
            <!--security mode of certificate -->
            <message establishSecurityContext="false" clientCredentialType="Certificate"/>
          </security>
        </binding>        
      </wsHttpBinding>
</bindings>
</system.serviceModel>
</configuration>

Client Config:(Auto generated using svcutil.exe)

Sample WCF client config file generated using svcutil.exe

XML
<!--app.config-->
    <client>
      <endpoint address="http://localhost/service1/servic1.svc/secure"
        binding="wsHttpBinding" bindingConfiguration="bind1"
        contract="Icontract1" name="WSHttpBinding_Icontract1">
        <identity>
          <certificate encodedValue="AwAAAAEAAAAUAAAAOTDk6LO4LsMQaY+65EgACb==" />
        </identity>
      </endpoint>      
    </client>      

After successful implementation of above points, when any request send from client to the server then the message will be digitally signed by the certifciate present in the client and the server

Image 3

Points of Interest

I have interested to start security implementation with WCF

History

April 29, 2008. First release

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Technical Lead Infosys Technologies
India India
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
QuestionHow .Net call a self-sign java web service Pin
lpbinh11-Mar-12 22:43
lpbinh11-Mar-12 22:43 
QuestionWhere is SignedByCA used? Pin
Rajeshjoseph21-Jan-12 3:58
Rajeshjoseph21-Jan-12 3:58 
QuestionSOAP Security negociation FAIL !! Pin
Member 775853116-Mar-11 2:40
Member 775853116-Mar-11 2:40 
GeneralASPNET account could not be found Pin
cilker2-Feb-11 3:11
cilker2-Feb-11 3:11 
GeneralTest Certificate versus Production Certificate Pin
DotNet_Naeem28-Aug-09 15:10
DotNet_Naeem28-Aug-09 15:10 
GeneralRe: Test Certificate versus Production Certificate Pin
DotNet_Naeem31-Aug-09 6:21
DotNet_Naeem31-Aug-09 6:21 
GeneralI only require signing of messages Pin
Ross1000018-Sep-08 6:14
Ross1000018-Sep-08 6:14 
GeneralRe: I only require signing of messages [modified] Pin
meetsenthilbtech6-Jan-09 22:43
meetsenthilbtech6-Jan-09 22:43 
General'Temporary' Certificate Pin
rctaubert9-Aug-08 14:35
rctaubert9-Aug-08 14:35 
GeneralRe: 'Temporary' Certificate Pin
meetsenthilbtech6-Jan-09 22:40
meetsenthilbtech6-Jan-09 22:40 
GeneralRe: 'Temporary' Certificate Pin
Loona7015-Sep-09 4:18
Loona7015-Sep-09 4:18 
Questionwinhttpcertcfg does not work, Access Denied Pin
RedCatsRic4-Aug-08 4:28
RedCatsRic4-Aug-08 4:28 
AnswerRe: winhttpcertcfg does not work, Access Denied Pin
meetsenthilbtech6-Jan-09 22:39
meetsenthilbtech6-Jan-09 22:39 
GeneralRe: winhttpcertcfg does not work, Access Denied Pin
John Kenedy S.Kom20-Sep-11 21:53
John Kenedy S.Kom20-Sep-11 21:53 
GeneralBig help for using wcf with certs from an asp.net page! Pin
Corgalore29-Jul-08 9:32
professionalCorgalore29-Jul-08 9:32 
GeneralGreat article! But.. Pin
DavidPrice10-Jun-08 6:38
DavidPrice10-Jun-08 6:38 
AnswerRe: Great article! But.. Pin
meetsenthilbtech10-Jun-08 19:15
meetsenthilbtech10-Jun-08 19:15 
GeneralRe: Great article! But.. Pin
Najam 8318-Jul-10 21:52
Najam 8318-Jul-10 21:52 
GeneralNice but have one question Pin
Salam Y. ELIAS29-May-08 7:18
professionalSalam Y. ELIAS29-May-08 7:18 
AnswerRe: Nice but have one question Pin
meetsenthilbtech29-May-08 18:27
meetsenthilbtech29-May-08 18:27 
GeneralRe: Nice but have one question Pin
Nisd3-Jan-10 23:24
Nisd3-Jan-10 23:24 
Questiondownloadable source code Pin
destructoDave12-May-08 17:41
destructoDave12-May-08 17:41 
Question.net support Pin
Loci5-May-08 20:38
Loci5-May-08 20:38 
AnswerRe: .net support Pin
meetsenthilbtech5-May-08 20:58
meetsenthilbtech5-May-08 20:58 
GeneralThank you for tutorial Pin
aclar30-Apr-08 11:02
aclar30-Apr-08 11:02 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.