0

I have a WCF application that is configured for transport security only. The web server hosting that application has an SSL cert installed for that app.

A customer is building their own client to consume the WCF services. Their development team is insisting that they need me to provide them with the SSL cert to be installed on their side.

This doesn't make sense to me. Why would they need me to export my cert and provide it to them? With transport security, doesn't it work just like a browser does where the connection simply goes over HTTPS without extra work on the client?

Before I tell them that they are wrong, I want to make sure I am right.

Stoop
  • 1,235
  • 3
  • 17
  • 23
  • I agree. As long as you are using an officially recognized certificate, they should be able to browse to your service using the browser (assuming you allow that) and install the public part of the certificate directly from the security warning page, as per usual. – 500 - Internal Server Error Apr 21 '14 at 22:41

1 Answers1

1

I created a sample application for the scenario and it is not necessary for the consuming client to include a certificate (given configurations similar to below are used)

WCF service with Transport security only

Bindings

<wsHttpBinding>
    <binding name="wsHttpBindingConfiguration" receiveTimeout="00:10:00"  sendTimeout="10.00:00:00" maxBufferPoolSize="1073741824" maxReceivedMessageSize="1073741824">
      <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
      <security mode="Transport">
        <transport clientCredentialType="None"></transport>
      </security>
    </binding>
 </wsHttpBinding>

The configuration of the service endpoints

<service behaviorConfiguration="noClientCertBehavior" name="WCFCallbackTry.Service1">
    <endpoint address="https://machineName:8056/Service1.svc" bindingConfiguration="wsHttpBindingConfiguration" binding="wsHttpBinding"
      contract="WCFCallbackTry.IService" name="HttpsEndPoint" />
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
    <host>
      <baseAddresses>
        <add baseAddress="https://machineName:8056/Service1.svc"/>
      </baseAddresses>
    </host>
 </service>

Service Behavior

<behavior name="noClientCertBehavior">
      <serviceDebug includeExceptionDetailInFaults="true"/>
      <serviceMetadata httpsGetEnabled="true"/>
      <serviceCredentials>
        <serviceCertificate findValue="9d4c41cde9d2b82d751a1234fd2eb6df98d3b576" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/>
      </serviceCredentials>
</behavior>

Client

Bindings and endpoint

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="HttpsEndPoint">
      <security mode="Transport">
        <transport clientCredentialType="None" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<client>
  <endpoint address="https://machineName:8056/Service1.svc" binding="wsHttpBinding"
    bindingConfiguration="HttpsEndPoint" contract="ServiceReference1.IService"
    name="HttpsEndPoint" />
</client>

Also refer link for more information on different configurations

Note:Client and Service reside on same machine

Community
  • 1
  • 1
dera
  • 401
  • 2
  • 4