views:

320

answers:

3

I understsand that if I want to use authentication in WCF then I need to install a certificate on my server which WCF will use to encrypt data passing between my server and client.

For development purposes I believe I can use the makecert.exe util. to make a development certificate.

What is the worst that can happen if I use this certificate on the production environment?

and...

Why cant I use this certificate on the production environment?

and ...

What is the certificate actually going to do in this scenario?

[Edit: Added another question]

finally...

In a scenario where the website has a certificate installed to provide HTTPS support can the same certificate be used for the WCF services as well?

Note on my application: Its a NetTCP client and server service. The users will log in using the same username and password which they use for the website which is passed in clear text. I would be happy to pass the u/n + p/w in cleartext to WCF but this isnt allowed by the framework and a certificate must be in place. However, I dont want to buy an certificate due to budget constraints!

(Sorry for the possibly stupid question but I really dont understand this so would welcome some help with this).

+3  A: 

"What is the worst that can happen if I use this certificate on the production environment" Security will fail, failing your entire service.

"Why cant I use this certificate on the production environment?"
The Certificate Authority specified in your generated certificate is not known by clients, hence the certificate cannot be validated/used.

"What is the certificate actually going to do in this scenario?" The public key is used by clients to encrypt the communication. This will guarentee that only the owner of the private key (the server in this case) can decrypt it again (private-public keypairs are asymetric encryption)

Hope this helps,

Marvin Smit
Thanks Marvin, so there are only a known amount of CA's in the world and the certificate must be generated by one of them? How will my WCF service know this is the case? Will the client using a Windows Forms application get an errors or anything? (Just trying to understand what *will* happen in this scenario).
RemotecUk
The ammount of CA's is not fixed. Anyone could become a CA (in fact, when you use makeCert.exe you are the CA of that certificate). So, which CA's are known? They are installed into your Certificate store as 'being a CA'. This is pre-installed when you install 'Windows OS' for instance. CA's are also 'chaining', i.o.w. CA#1 can say, i trust CA#2 like i trust myself. This allows distribution of the CA's across the world.You can make a cert which is a CA certificate. You'll have to install that certificate on all clients as trusted CA, then you can use your dev cert aswell.
Marvin Smit
+3  A: 
  1. A certificate needs to be issued by a so-called Certificate Authority to be trusted. Self signed certificates (created by makecert etc) are not trusted, and everybody that will browse to your website will receive an 'Invalid certificate' (more specific: 'The certificate is not trusted because it is self-signed') warning. So, worst case, people won't go to your site, because they don't trust it.

  2. You can use your self signed certificate in production, but it is not advisable for reasons explained above.

  3. The certificate is used to establish a secure connection (HTTPS) between the client and the server. Next to that, it is meant to verify the server's identity. The identity of your server can not be guaranteed if your certificate is self-signed.

  4. In IIS, if you install a certificate in a web site, all WCF services deployed under that web site are able to use the certificate.

In short, use a self-signed certificate for development (look into a tool called SSL Diagnostics for easy certificate generation in IIS), but really do use a production certificate for production!

Eric Eijkelenboom
+1 for the SSL Diagnostics tip
bob
+6  A: 

Well, nothing major will happen if you use a developer certificate in production environment, after all, a certificate is a certificate and the encryption it provides is the same as any commercial certificate.

However, as the certificate isn't signed by a trusted Certificate Authority, it doesn't guarantee to the client that you is you. Let me put this in another way: if your service were a simple web page the browser would say the certificate is invalid.

A certificate to provide SSL in a web server, is a certificate that tells the client that the domain is a trusted and verified domain, and that the Certificate Authority can vouch for it.

So, a certificate made by makecert.exe would be as like you writing your name in a piece of paper and telling, say an officer of the law, that this your driver's license.

Paulo Santos
I like the analogy of the driving licence! So when I apply for the certificate the CA will visit my site and somehow prove that my site is legitimate and then issue the certificate?
RemotecUk
@actually no, it will not visit your site, however, it can vouch because only the administrator of a website can install the certificate.
Paulo Santos
Got it. But what is to stop me buying a certificate for www.abc.com and then installing it on www.xyz.com? I presume when the browser visits the site it will check that the site name being accessed matches the certificate name?
RemotecUk
@RemotecUk SSL certificates are issued only to a single DNS name. (or for a wildcard) So the cert of `www.abc.com` won't be valid for `www.xyz.com` (and it even won't be valid for `abc.com` as well)
Regent