WCF: Client Certificate Sample/POC Using MakeCert.exe
Issue:
I came across one customer who was working on a POC project to demonstrate the usage of Client Certificate for authentication at transport level security.
Architecture:
Create a sample with following criteria:
- Transport Security (Net.Tcp / HTTPS)
- Client Credential as Client Certificate
Challenge:
Big challenge is how to test the POC/Sample with the certificates.
We need to get Server/Client certificates from Trusted Providers like RapidSSL, Go Daddy, etc
Solution:
We suggest our customer to use MakeCert.exe utility to create the server and client certificates.
Now remember these certificates are only meant for testing environment and should never be used on Production.
Using with WCF
Certificate created via MakeCert.exe are be default not so much complaint with WCF and testing always start with error.
That's the primary reason I started writing this blog.
Below steps will demonstrate using MakeCert.exe with correct commands, along with relevant WCF configuration to handle all errors :)
Steps (Script location at end):
- Get the Certificate Authority ready with the help of CA.cmd script.
- Get the Server Certificate ready with the help of SSLCert.cmd
- Get the Client Certificate ready with the help of ClientCert.cmd
Please notes:
Default password used is "123".
So make sure when you install the above cert directly, use password as "123" (without quote).
Now lets take a look on WCF configuration needed:
Server Side WCF Configuration:
Observation:
- Binding using the Transport level security via Net.Tcp binding
- I have added an extra Http end point, so that I can check my service WSDL and end points easily.
- Inside the Service Behavior, we need to add the Server Cert for Net.Tcp binding (we can skip this, if using HTTPS)
- Finally Client Certificate Validation Mode is set to None, because certificate created via MakeCert.exe fails with Chain Build error.
Client Side WCF Configuration
Observation:
- Binding using the Transport level security via Net.Tcp binding
- I have specified the Client end point identity, as DNS value exhibited via WSDL (I used "xyz.com" because I issued the server cert to "xyz.com").
- Inside the Client Behavior, we need to add the Client Cert used for authenticating the client.
- Finally Server Certificate Validation Mode is set to None, because certificate created via MakeCert.exe fails with Chain Build error.
I have shared the sample certificates and scripts at below location and you can use the directly.
Sample and Certificates /Script Location:
<1drv.ms/1NKDjcC>
I hope this helps !
Comments
- Anonymous
August 27, 2015
This is very helpful, Thanks