Click here to Skip to main content
Click here to Skip to main content

Simple WCF - X509 Certificate

, 28 Apr 2008
Rate this:
Please Sign up or sign in to vote.
how to create Temporary X509 certificate and also to implement X509 Certificate security in WCF service and client

Introduction

This article will describe how to create Temporary X509 certificate and to implement X509 Certificate security in WCF service and client. This configuration can be simply done via in config file itself.

Using the Code

Creating X509 Certificate:

makecert.exe this tool will helpful to create X509 certificate. This tool is packed along with Microsoft .Net 2005 SDK and also be downloaded from micosoft site.

Step1: creating the temporary certificate TempCA.cer
Step2: Create SignedByCA.cer which is digitally sign and authorize by TempCA certificate
Step3: Import the certificate TempCA.cer using MMC in to "Trusted Root Certificate Authorities" folder (Localmachine)
Step4: Import the certificate SignedByCA.cer in to the personal folder

step1: makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
step2: makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr localmachine -ss My

step3: Go to Start -> Run -> Type MMC -> File -> Add/Remove Snap-In -> StandAlone Tab -> Add Button -> Certificates -> Computer Account

step4: Import SignedByCA.cer in to Personal Folder




Export Certificate:To export the created certifciate to outside world, it is necessary to export the private key also. Thus it is possible to convert the certificate .cer and .pvk to .pfx (i.e TempCA.cer and TempCA.pvk to TempCA.pfx). Equivalent tool for this conversion is pvk2pfx.exe. This will be available in your <programfile>/Visual Studio 8/Common7/Tools/bin/pvk2pfx.exe

cmd> pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer      
this open wizard which will help to create .pfx file. Then you can distribute the PFX file to client

Access Permission X509 certificate:
If WCF services are hosted in IIS or Windows service or so on, based on the hosted environment specific permission to be give for X509 certificate. For ex: if WCF service is hosted in IIS then ASPNET user (XP) permission must be given to the certifciate. Thus, this can be achived using Winhttpcertcfg.exe which will give the permission to specified certificate. Seperate download is available for this tool and also this tool is downloadable along this article itself.

//for grant ASPNET permission to TempCA.cer
cmd>winhttpcertcfg -g -c LOCAL_MACHINE\MY -s TempCA -a ASPNET

//for grant ASPNET permission to TEMPCA.pfx
cmd>winhttpcertcfg -i TempCA.pfx -g -c LOCAL_MACHINE\My -s TempCA -a ASPNET     
        
WCF Server Config:

Configure the WCF service to support X509 certificate as one of the security process. possible to configure the client level certificate authority in the server config file itself. Thus at the time of creating proxy class using svcutil.exe config file will be generated with certificate information (token).

//web.config
<configuration>
<system.serviceModel>  
<service name="service1" behaviorConfiguration="beh1">
         <endpoint address="secure" contract="Icontract1" binding="wsHttpBinding" bindingConfiguration="binding1"></endpoint>
         <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
<behaviors>
    <serviceBehaviors>
         <behavior name="beh1">
              <serviceDebug includeExceptionDetailInFaults="true"/>
              <serviceMetadata httpGetEnabled="true"/>
              <serviceCredentials>
                <!--<span class="code-comment">certificate storage path in the server --></span>
                <serviceCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine"  storeName="My"/>
                <issuedTokenAuthentication allowUntrustedRsaIssuers="true"/>
                <!--<span class="code-comment">certificate storage path in the client --></span>
                <clientCertificate>
                  <certificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
                </clientCertificate>                
                <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>
              </serviceCredentials>
         </behavior>
     </serviceBehaviors>
     <endpointBehaviors>
        <behavior name="beh1">
          <clientCredentials>
            <!--<span class="code-comment">certificate storage path in the client --></span>
            <clientCertificate findValue="TempCA" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My"/>
            <serviceCertificate>
              <authentication certificateValidationMode="PeerOrChainTrust"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
</behaviors>
<bindings>
     <wsHttpBinding>
        <binding name="binding1">
          <security mode="Message">
            <!--<span class="code-comment">security mode of certificate --></span>
            <message establishSecurityContext="false" clientCredentialType="Certificate"/>
          </security>
        </binding>        
      </wsHttpBinding>
</bindings>
</system.serviceModel>
</configuration>

Client Config:(Auto generated using svcutil.exe)

Sample WCF client config file generated using svcutil.exe

<!--<span class="code-comment">app.config--></span>
    <client>
      <endpoint address="http://localhost/service1/servic1.svc/secure"
        binding="wsHttpBinding" bindingConfiguration="bind1"
        contract="Icontract1" name="WSHttpBinding_Icontract1">
        <identity>
          <certificate encodedValue="AwAAAAEAAAAUAAAAOTDk6LO4LsMQaY+65EgACb==" />
        </identity>
      </endpoint>      
    </client>      
    

After successful implementation of above points, when any request send from client to the server then the message will be digitally signed by the certifciate present in the client and the server

Points of Interest

I have interested to start security implementation with WCF

History

April 29, 2008. First release

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

meetsenthilbtech
Technical Lead Infosys Technologies
India India
No Biography provided

Comments and Discussions

 
QuestionSOAP Security negociation FAIL !! PinmemberMember 775853116-Mar-11 2:40 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web03 | 2.8.140721.1 | Last Updated 29 Apr 2008
Article Copyright 2008 by meetsenthilbtech
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid