0

Here's my scenario:

I need to host a WCF web service app that will be consumed by multiple customers. Each customer is responsible for their own client app, and they will be building their client apps with different technologies. It's likely that none of their clients will be .Net (probably will be Java or something else).

I need to implement Message Level Security to abide by their policies (Transport security is not sufficient).

Given the above requirements, I am having a hard time understanding how to implement Message Security in WCF that can be used by clients that I do not control. Everything I've read discusses the scenario where I would be building my own client, and that the client would even be in my network's domain.

If I implement Message Security with Certificate, can I install one certificate on my server and have each client be responsible for installing their own certificates on their servers? Would we then be able to use Message Security by simply sharing the Public Keys?

Stoop
  • 1,235
  • 3
  • 17
  • 23

1 Answers1

1

Basically, what you're saying here in your last paragraph is true. You'd give the subscribers of your WCF service the public key (.cer) file that they'd install and register within the LocalMachine/My store of their client machines.

On the host side, you'd install the cert public key in your LocalMachine/TrustedPeople store and the private key (.pfx or .pvk) in the host LocalMachine/Personal store.

You can vary the location of where you install/registry the public and private keys a bit, but then you'd have to configure your WCF service to find those cert elements on your server. The clients would have to do the same.

This does work. I've done it.

You can automate some of this using a .bat file and the makecert.exe and certmgr.exe DOS commands to ensure everything gets installed in the correct places.

Brian
  • 3,653
  • 1
  • 22
  • 33
  • Sounds like I am on the right track, and it's great to hear that you have done exactly this. I just want to clarify one thing: I need to export the public key of my cert and give it to each client, and they need to import that cert on their side. In turn, they need to export the public keys of their individual certs, and I need to import those on my side. Correct? – Stoop Jan 16 '14 at 15:20
  • 1
    You only need to send your public key (.cer) to them since you're the host. You don't need any cert from them. They'll need to install your cert on any machines that will serve as clients of your host. For testing purposes, you can use certs you create yourself using the makecert function in windows. That will save you and your client some money, but when production time comes ... well, you know. – Brian Jan 17 '14 at 11:34