0

We have multiple programs hitting one WCF Service. When a client sends a message they get to define both a client certificate and a service certificate. To do signing and encryption. As far as I know a service can set both at start up. But i'm finding difficulty on how a service would check certificates on a per request basis.

If program A uses a certificate and program B uses a different certificate. Is there a way to tell WCF how to look up those certs without using the windows certificate store? I know how to load a X509Certificate2 from a file but can't seem to find what piece needs to be overridden to tell it to use a specific cert based on what is coming in. Everything I have done so far looks for that clients cert in the cert store. Business rules would rather we placed them somewhere else that we are encrypting. I would like program A's request to use one file and program B's request to use another that I can specify.

DoomVroom
  • 330
  • 2
  • 14
  • When you say client certificate, do you mean the certificate that the client uses to prove its identity to the service? and when you say service certificate do you mean the certificate that the WCF service uses to prove its identity to the client? – Yacoub Massad Sep 10 '15 at 00:14
  • The nature of SSL certificates should solve this problem for you. If you supply different certificates for your programs and have them use the different ones when calling your service everything will work. As long as they are issued by the same trusted root authority. – fanuc_bob Sep 10 '15 at 13:40
  • @YacoubMassad yes that is what I meant by those terms. – DoomVroom Sep 10 '15 at 13:54
  • @fanuc_bob we are just starting to use WCF but we will be using 100+ programs so we don't want to have to manage the certs by installing them in the MMC. We were hoping to do it another way. But that would be dependant on us breaking away from the MMC. – DoomVroom Sep 10 '15 at 13:56

1 Answers1

0

In order to do client authentication, you actually need a certificate + a private key, i.e., not just a certificate.

You need a .PFX file that contains both a certificate and its corresponding private key. PFX are password protected.

Here is a sample code:

Client client = new Client();

var cert = new X509Certificate2(File.ReadAllBytes("c:\\certificate_with_key.pfx"), "pfx_password");

client.ClientCredentials.ClientCertificate.Certificate = cert;
Yacoub Massad
  • 27,509
  • 2
  • 36
  • 62
  • The problem we had was we were creating certs and installing them to the CertStore with a tool and the private key was not made exportable. The pfx file was missing the private key when we tried to export them and use them as a file reference. – DoomVroom Sep 11 '15 at 16:49