We need a valid certificate to authenticate a client and a service. Here, valid means that the certificates should be generated by a Certificate Authority. A certificate authority can be any third party certificate authority [recommended in case of production] or we can create our own certificate authority [DEV STAGE ONLY]. Once we get the Certificate Authority, we need to create different certificates for different components.
Follow the below process to create a certificate authority. I am using “makecert” for creating a certificate authority.
Launch Visual Studio command prompt to use makecert. The name of my certificate authority is “Dev Certification Authority”. Below is the command to create the certificate authority. It will ask to set a password, go ahead and set it. You have to remember this password as we are going to use this at the time of generating the service and the client certificates.
>>makecert -pe -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=Dev Certification Authority" -len 2048 -ss My -sr localmachine -sky exchange
After entering the password, it gave an error to me. The reason is that I tried to execute it many times so this was already available with me. For that, we need to delete the existing key and try to create a certificate once again. Use the below mentioned two commands to delete a key.
>>DEL SignRoot.pvk
>>DEL SignRoot.cer
Here, I have deleted the existing subject keys. Now, try to execute the certificate creation command again.
>>makecert -pe -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=Dev Certification Authority" -len 2048 -ss My -sr localmachine -sky exchange
It will ask you to enter a password. Enter it and go ahead.
Here, we have created a certificate authority successfully. To verify it, launch Run>>MMC. It will launch the Window MMC as below.
Click File >> Add/Remove Snap-in. It will open the "Add Snap-in" window. Select certificate in the available snap-in list. Click Add >.
Select "Computer Account" and click "Next".
It will open the Console Root as below.
Expand certificates -Local Computer.>> Personal>> Certificates. Then, you can see the certificate which we created using the makecert command.
“Dev Certification Authority”.
Double-click that certificate to see the properties. You can see that this certificate is not trusted. We need to add this certificate in “Trusted Root Certification Authority”.
To do so, copy this certificate and paste in the “Trusted Root Certification Authority” field.
Now, go to Personal>>Certificate and then double-click the certificate. You will see the result as below. Our certificate is valid. That means now our certificate authority is a trusted certificate authority.
Now, let's create certificates for our service and client. My certificate authority will issue me certificates which I will use for authentication in WCF. Here, I have one service and one client. So, I will generate two certificates in my certificate authority.
Launch Visual Studio command prompt and execute the below commands. It will ask us to enter the issuer's password. Enter the password which you have entered at the time of the creation of the certificate authority.
Command for Service,
>>makecert -pe -sk ServerCert -iv SignRoot.pvk -n "CN=ServerCert" -ic signroot.cer ServerCert.cer -sr localmachine -ss My -sky exchange
Command for Client,
>>makecert -pe -sk ClientCert -iv SignRoot.pvk -n "CN=ClientCert" -ic signroot.cer ClientCert.cer -sr localmachine -ss My -sky exchange
Once we have executed this, it will generate certificates in Personal>>Certificates.
Now, we are ready with certificates.
Server Certificate
Client Certificate
Export these certificates
Now, we will export these certificates so that we can import them wherever we are going to use them.
Launch MMC Console, Personal>>Certificates>>Select Certificate>> RightClick on Dev Certificate Authority>>All Task>> Export>> Next.
Click Next>> Browse File to Save>>Next>>Finish.
See the saved location for verification.
Now, we will export the Server Cert and Client Cert. But there is one additional thing. I want two different certificates of Server. One is Private key cert and another is Public key. Same for the Client Cert. So, here, I will generate 4 different certificates.I will explain at a later stage why I am creating this.
- Server Private Key
- Server Public Key
- Client Private Key
- Client Public Key
Right-click on the respective certificate and select the "Export" option and go ahead. In the Certificate Export wizard, it will give an option to export the private key or public key. We will execute it twice as we want a private key as well as a public key.
In the end, we will have 5 certificates.
- Certificate Authority certificate
- Server Private Key
- Server Public Key
- Client Private Key
- Client Public Key
Now, we want to use these certificates in WCF for message security. For that, we need to create one service and one client. We need two machines. One for running our service and one for running a client.
Certificate related operations to be performed at Server Machine
I need to import the Certificate Authority certificate at the server machine and place it in the “Trusted Root Certificate Authority” folder.
Import Servers Private key & keep a copy of it in Trusted People Folder as well as Personal Folder.
Import Client Public key & keep a copy of it only in Trusted People Folder.
Certificate related operations to be performed at Client Machine
Import Client Private Key and keep a copy of it in the Trusted People folder as well as in Personal folder.
Import Server Public key and keep a copy of it only in the Trusted People folder.
So now, we are done with placing certificates. Its time to use them in WCF service.
WCF Service Config File
- <?xml version="1.0" encoding="utf-8" ?>
- <configuration>
- <startup>
- <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
- </startup>
- <system.serviceModel>
- <behaviors>
- <serviceBehaviors>
- <behavior name="SecurityBehavior">
- <serviceDebug includeExceptionDetailInFaults="True" />
- <serviceCredentials>
- <serviceCertificate findValue="ServerCert" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName" />
- <clientCertificate>
- <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" revocationMode="NoCheck"
- mapClientCertificateToWindowsAccount="false" />
- </clientCertificate>
- </serviceCredentials>
- </behavior>
- </serviceBehaviors>
- </behaviors>
- <services>
- <service name="SampleWCFServiceLibrary.Service1" behaviorConfiguration="SecurityBehavior">
- <endpoint address="Service1" binding="netTcpBinding" contract="SampleWCFServiceLibrary.IService1" bindingConfiguration="SecuredBinding"></endpoint>
- <host>
- <baseAddresses>
- <add baseAddress="net.tcp://192.168.1.48:8798"/>
- </baseAddresses>
- </host>
- </service>
- </services>
- <bindings>
- <netTcpBinding>
- <binding name="SecuredBinding" >
- <security mode="Message">
- <message clientCredentialType="Certificate" ></message>
- </security>
- </binding>
- </netTcpBinding>
- </bindings>
- </system.serviceModel>
- </configuration>
Client’s Config File
- <?xml version="1.0" encoding="utf-8" ?>
- <configuration>
- <startup>
- <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
- </startup>
- <system.serviceModel>
- <bindings>
- <netTcpBinding>
- <binding name="NetTcpBinding_IService1" closeTimeout="00:01:00"
- openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
- maxReceivedMessageSize="65536"
- maxBufferPoolSize="524288" >
- <security mode="Message">
- <message clientCredentialType="Certificate" />
- </security>
- </binding>
- </netTcpBinding>
- </bindings>
- <client>
- <endpoint address="net.tcp://192.168.1.48:8798/Service1" binding="netTcpBinding" behaviorConfiguration="endpointCredentialBehavior"
- bindingConfiguration="NetTcpBinding_IService1" contract="ServiceReference1.IService1"
- name="NetTcpBinding_IService1">
- <identity>
- <dns value="ServerCert" />
- </identity>
- </endpoint>
- </client>
- <behaviors>
- <endpointBehaviors>
- <behavior name="endpointCredentialBehavior">
- <clientCredentials>
- <clientCertificate findValue="ClientCert"
- storeLocation="CurrentUser"
- storeName="My"
- x509FindType="FindBySubjectName" />
- <serviceCertificate >
- <authentication certificateValidationMode="PeerTrust"/>
- </serviceCertificate>
- </clientCredentials>
- </behavior>
- </endpointBehaviors>
- </behaviors>
- </system.serviceModel>
- </configuration>
You need to change binding address according to your machine's IP.
I have attached the source code of service as well as the client. Compile it and run it.