2

I purchased a real SSL certificate to authenticate my computer and the domain I am hosting some WCF services under.

How can I use MakeCert to create a client certificate signed by this authentic certificate to use on client computers to authenticate that they are connected to the correct (my) server?

The client certificate will be used to authenticate the use of a WCF service on my server.

test
  • 2,589
  • 2
  • 24
  • 52

1 Answers1

5

  1. In general you can't. Each certificate is issued for particular purpose (key usage). In your case it's most likely SSL authentication. Such certificates can't be used to sign other certificates (well, technically they can but such signature won't be accepted during validation). CA-capable certificates cost a fortune and you need to meet certain organizational requirements.

  2. You don't need to create a client certificate just to authenticate the server - server's certificate is used for this purpose. Client certificates are used to tell the server who the clients are, i.e. for client authentication on the server. And for such certificates you don't need to sign them with server's certificate - you can either create self-signed client certificates or create one self-signed certificate which will act as a CA and make it trusted on the server. Then use this self-signed certificate to issue client certificates.

Doing all of the above requires understanding of how PKI and X.509 certificates work (and BTW they are not "SSL certificates" and are not related to SSL).

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Everything is correct except your last parenthetical statement. "SSL certificates" is a common term used by commercial CAs to describe X.509 certificates with extended key usage for server authentication. So all SSL certificates are X.509 certificates, but not all X.509 certificates are SSL certificates. More info here: http://security.stackexchange.com/questions/36932/what-is-the-difference-between-ssl-and-x-509-certificates – Oran Dennison Mar 10 '15 at 21:40
  • @OranDennison This has been discussed many times before on SO. *Strictly speaking* X.509 certificates are not named "SSL certificates" and it's a good idea to educate programmers and have them use correct terms. I.e. the purpose of my clarification is to make people understand how they are named right. We are security specialists, not marketers, so we have to use correct terms, not marketing BS. – Eugene Mayevski 'Callback Mar 11 '15 at 18:55
  • @EugeneMayevski'EldoSCorp to be sure: are this steps correct for production: 1. create CA using makecert, 2. install this CA on web server, 3. create client certificates using this CA. – mtkachenko Dec 08 '15 at 10:12
  • @oblomov86 depends on your goals. I can't answer without knowing what exactly you are trying to achieve. – Eugene Mayevski 'Callback Dec 08 '15 at 11:54
  • @EugeneMayevski'EldoSCorp I need to use client certificates on production. I can create them using CA which is created by me too. I suppose if CA is installed on web server client will be able to work with my client certificates without problems. – mtkachenko Dec 08 '15 at 12:13
  • @oblomov86 no, "CA" "installed" has nothing to do with whether the clients accept the specific certificate. I think it makes sense to read a book or two on how PKI works. We have a couple of references to good books here: https://www.eldos.com/forum/read.php?FID=7&TID=1842 – Eugene Mayevski 'Callback Dec 09 '15 at 13:05