0

The MSDN link says that X.509 certificates are used to authenticate a service. My questions are given below:

  1. What is the purpose of using certificates while opting for Message security with client credential of UserName?

  2. Is it not possible to use Message security with UserName client credential without using certificates at all?

  3. Can I use a self-signed certificate in production?

tshepang
  • 12,111
  • 21
  • 91
  • 136
arjun
  • 625
  • 10
  • 27

1 Answers1

2

1) What is the purpose of using certificates while opting for Message security with client credential of UserName?

The X509 Certificate creates a secure channel - it is used to encrypt and digitally sign messages. Additionally, it authenticates the service to the client.

2) Is it not possible to use Message security with UserName client credential without using a certificate?

Since the client's credential is just a username\ password pair, you need some sort of mechanism to create the secure channel. However, you can get around this with a custom binding. See this link for such a binding.

3) Can I use a self-signed certificate in production?

You certainly can use them. Whether you should or not is something up to debate. It depends on your situation. For example, if you're doing some form of Ecommerce then you definitely should use CA Signed Certificates.

Derek W
  • 9,708
  • 5
  • 58
  • 67
  • 1) Are you saying that the encryption of message wouldn't be possible without using certificate. – arjun Mar 19 '14 at 01:11
  • How does the certificate authenticates the service to client( couldn't understand this process, could you please provide some link or blog to help understand it). Another concern I have is the use of certificate do not allow the web servcice to run out of box when shifting from development to production server. Is it possible to transfer the certificate. Does windows server has any default certificate that can be used so that the service run out of box just after deployment from server to server? – arjun Mar 19 '14 at 01:26
  • It is *possible* to provide encryption without a certificate, but it wouldn't be easy by any means to provide a decent level of security. The certificate allows for a common shared secret between the client and service. This allows for the encryption of messages in such a way that only the intended recipient could decrypt them. – Derek W Mar 19 '14 at 01:35
  • In regards to your first question: The client needs to validate the certificate provided by the service via some means - it's the credential provided by the service to the client. In this way, the client is ensured that it is communicating to the trusted service. – Derek W Mar 19 '14 at 02:03
  • Second question about exporting certificates, yes it is possible: http://windows.microsoft.com/en-us/windows/import-export-certificates-private-keys#1TC=windows-7 – Derek W Mar 19 '14 at 02:04
  • What do you suggest? The certificate created in the development server to be exported and import it again in the production? – arjun Mar 19 '14 at 02:35
  • I don't see why you couldn't do this. The only scenario I can think of where you wouldn't is if you were using a self-signed certificate in test environment and CA signed certificate in production. But you can export and transfer certificates between machines. – Derek W Mar 20 '14 at 12:21
  • Did I adequately answer all of your questions? – Derek W Mar 23 '14 at 16:17