WCF Message Level Security using Certificate (X.509) Message Signed and Encrypted

Question

I have a common use case to implement a web service (WCF) and a web client which is consuming this web service. Both Client and Service are sending and receiving Signed and Encrypted messages (Message Level Security).

I can have multiple clients those are using my service, hence multiple client certificate need to be installed on Server where Service project is running.

I have installed 2 Certificates (Service Certificate and Client Certificate) in local machine store under personal and trusted root certification authorities.

makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFServer" -len 2048 -sky exchange -pe

makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFClient" -len 2048 -sky exchange -pe

Although Certificate give me error of "integrity of licence can not be guaranteed" but now i dont care about this issue.

Web Client need to Sign the request message through its own Private Key and Encrypt message through Service Certificate Public key.

Service receive the request and verify the signature of message through client Public Key and Decrypt the contents through own Private Key

Than process the request and create a response object. Now Service must sign the response by own private key and encrypt the message through client public key.

Now client get Signed and Encrpted response. Now it verify the response through Service Public Key and Decrypt the message by its own private key.

This is whole Szenerio . I have installed both(Client and Service) X.509 Certificates on my local development machine. I am using wsHttpBinding and communication is working fine.

I am using [ServiceContract(ProtectionLevel=ProtectionLevel.EncryptAndSign)] for ServuceContract and [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign, IsOneWay = false)] for OperationContract.

I have following question: do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?

I go through following code project and its working fine. http://www.codeproject.com/Articles/36683/simple-steps-to-enable-X-certificates-on-WCF

My Source code (Visual Studio Project) Including both certificates is available on Bitbucket for download here

Can any one tell me, do i need to do all this stuff in code or its done through my current configurations.

Thanks in advance.

Answer 1

i got following answer from MSDN forum.

do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?

If we have configured the service to use the certificate authentication in the config file, then as you said all the response and request message will be Encrypted/Decrypted by the client certficate's private key/ public key and service certificate's private key/ public key. So in my mind it is enough to do all the stuff in the configure file.

For more information, please try to refer to the following articles:

Certificate authentication:

https://msdn.microsoft.com/en-us/library/ff648360.aspx .

Message and Transport Security:

https://msdn.microsoft.com/en-us/library/ff648863.aspx .

Answer 2

i have few more questions which may be any one can answer me.

1. I have multiple clients (external web applications ) which will access my service. do each client need to create their own certificate? client will deliver us certificate without private key which need to be install on Service Host server? is this a correct way?

2. Each client certificate need to be configured in web.config ?

3. I need to export my service certificate without private key and send to clients. clients must install and configure certificate on their application server? is this correct?

Answer 3

here i got another ver good answer (step by step guide) from MSDN Team.

https://social.msdn.microsoft.com/Forums/vstudio/en-US/a9d85e9f-6d35-425c-ac6d-b3cd883760e4/wcf-message-level-security-using-certificate-x509-message-signed-and-encrypted?forum=wcf&prof=required