.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
 
Sign In
Register
 
Win Surprise Gifts!!!
Congratulations!!!


Top 5 Contributors of the Month
david stephan

Home >> Articles >> WCF >> Post New Resource Bookmark and Share   

 Subscribe to Articles

9 simple steps to enable X.509 certificates on WCF

Posted By:Shivprasad koirala       Posted Date: May 23, 2009    Points: 25    Category: WCF    URL: http://www.questpond.com  
 

9 simple steps to enable X.509 certificates on WCF

Introduction and Goal

Beginner WCF FAQ's

Step 1:- Create client and server certificates

Step 2 :- Copy the certificates in trusted people certificates

Step 3 :- Specify the certification path and mode in the WCF service web.config file

Step4 :- Define binding

Step5 :- Tie up the bindings with end point

Step 6 :- Make your web application client for consuming the WCF service

Step 7 :- Define certificates in WCF client

Step 8 :- Tie up the behavior with end point on WCF client

Step 9 :- Enjoy your hard work

Download code
 

 

Introduction and Goal
 

In this article we will discuss how we can enable certificates on WCF service. WCF has two modes by which it transfers data one is the transport and the other is the message. This tutorial will concentrate on how we can enable certificates on message mode of data transfer.

Now a days I am distributing my 400 questions and answers ebook which covers major .NET related topics like WCF,WPF,WWF,Ajax,Core .NET,SQL Server,Architecture and lot more. I am sure you will enjoy this ebook.
http://www.questpond.com/SampleDotNetInterviewQuestionBook.zip .
 

Beginner WCF FAQ's
 

In case you are fresh to WCF please refer the below two WCF FAQ articles.

WCF FAQ Part 1  :- This is a 20 question FAQ for beginners which explains basic concepts of WCF like End points , contracts and bindings. It also discusses about various hosting methodologies of WCF service. The article finally ends talking about bindings and one ways operations in WCF.


WCF FAQ part 2  :- This FAQ covers 10 questions which talks about concepts like duplex contracts , hosting WCF on different protocols , MSMQ bindings , transaction isolation levels and two way communication. The article finally ends talking about two queues volatile and dead letter queue.
 

Step 1:- Create client and server certificates
 

Create two certificates one for the server and the other for the client using makecert.exe. You can get makecert.exe from "C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\Bin" folder. So you can goto dos prompt and run the below command snippet.
 

makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WCfServer -sky exchange -pe
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WcfClient -sky exchange -pe

Below is a detailed explanation of various attributes specified in the 'makecert.exe'.

Attribute

Explanation

-sr

Specifies the registry location of the certificate store. The SubjectCertStoreLocation argument must be either of the following:
currentUser
Specifies the registry location HKEY_CURRENT_USER.
localMachine
Specifies the registry location HKEY_LOCAL_MACHINE.

-ss

Specifies the name of the certificate store where the generated certificate is saved.

-a

Specifies the algorithm. Can be either MD5 or SHA1.

-n

Specifies a name for the certificate. This name must conform to the X.500 standard. The simplest method is to use the "CN=MyName" format.If the /n switch is not specified; the default name of the certificate is "Joe's Software Emporium".

-sky

Specifies how will be the key type. Can be either exchange or signature.

-pe

This makes the key exportable.


Note: - Makecert.exe is a free tool provided by Microsoft which helps to create X.509 certificate that is signed by a system test root key or by another specified key. This is a test certificate and not a real one and should not be used for production purpose. For production buy proper certificates from Thawte, Verisign, GeoTrust etc.
 

Currently we have specified that we want to create the client key with 'WcfClient' name and server key with 'WCFServer'. The certificates should be created for the current user and should be exportable.
 

Once you run the command you should see the 'Succeeded' message as shown in the below figure. Below figure shows keys created for both server and client.
 

Step 2 :- Copy the certificates in trusted people certificates
 

Go to start ? run and type MMC and press enter. You will be popped with the MMC console. Click on file ? Add/remove snap-in.
You will be popped up with a Add/Remove Snap-in , click on the add button , select certificates and select 'My user Account'.

You can see the certificates created for client and server in the personal certificates folder. We need to copy those certificates in trusted people ? certificates folder.

Step 3 :- Specify the certification path and mode in the WCF service web.config file
 

Now that we have created both the certificates we need to refer these certificates in our WCF project.

So we have created two projects one which has the WCF service and the other project is a web application which will consume the WCF service.

 

Let's open the web.config file of the WCF service and enter two important things:-
. Where the certificate is stored, location and how WCF application should find the same. This is defined using 'serviceCertificate' tag as shown in the below snippet.
. The 'certificationvalidationmode' defines how client certificates will be authenticated.
 

Certification validation mode

Description

Chain trust

In this situation the client certificate is validated against the root certificate.

Peer trust

PeerTrust ensures that the public key portion of the certificate is in the Trusted People certificate folder on the clients computer

ChainORPeertrust

This is just a OR condition for both chain and peer.

The above two points is clubbed together and entered in the web.config file of the WCF service.
 







Step4 :- Define bindings
 

Now that we have defined our certificates and authentication type we need to define that the authentication values will be sent through message using certificates. You can see we have defined the 'WsHttpBinding' with message attribute specifying that the WCF client needs to send a certificate for validation.










Step5 :- Tie up the bindings with end point
 

Once done we need to tie up this binding with the end point. This is done by using 'bindingConfiguration' tag as shown in the below code snippet.
 


Step 6 :- Make your web application client for consuming the WCF service
 

That's all we need to from the WCF service perspective. So compile the WCF service and reference the same in the ASP.NET web application using 'Service reference'. Below is the code snippet where we have referenced the service and called the 'GetData' function of the service/
 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using WebConsumer.ServiceReference1;
namespace WebConsumer
{
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Service1Client obj = new Service1Client();
Response.Write(obj.GetData(12));
}
}
}

Now if you try to run the client i.e. the web application as it is you should get an error as shown below. The error clearly indicates you can not use the WCF service until you do not provide the client certificate.
 

Step 7 :- Define certificates in WCF client
 

So lets start the process of defining certificates in the WCF client. The way we have defined authentication certification mode and the path of the certificate, in the same way we need to define it for WCF client. You can see we have defined the authentication mode as 'peertrust' and we have specified the client certificate name as 'WcfClient'.
 













Step 8 :- Tie up the behavior with end point on WCF client
 

We need to tie up the above defined behavior with the end point. You can see we have bounded the behavior using 'behaviorConfiguration' property. We also need to specify that the DNS value will be 'WcfServer' which your server certificate name..
 








Step 9 :- Enjoy your hard work
 

Once we are done you can run the ASP.NET web and you should see the below display.
 

Download code
 

You can download both the server and client code  from the link at bottom of this article


 Subscribe to Articles

     

Further Readings:

Responses

No response found. Be the first to respond this post

Post Comment

You must Sign In To post reply
Find More Articles on C#, ASP.Net, Vb.Net, SQL Server and more Here

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend