tags:

views:

320

answers:

3
+3  Q: 

Developer certificate vs purchased certificate for WCF

I understsand that if I want to use authentication in WCF then I need to install a certificate on my server which WCF will use to encrypt data passing between my server and client.

For development purposes I believe I can use the makecert.exe util. to make a development certificate.

What is the worst that can happen if I use this certificate on the production environment?

and...

Why cant I use this certificate on the production environment?

and ...

What is the certificate actually going to do in this scenario?

[Edit: Added another question]

finally...

In a scenario where the website has a certificate installed to provide HTTPS support can the same certificate be used for the WCF services as well?

Note on my application: Its a NetTCP client and server service. The users will log in using the same username and password which they use for the website which is passed in clear text. I would be happy to pass the u/n + p/w in cleartext to WCF but this isnt allowed by the framework and a certificate must be in place. However, I dont want to buy an certificate due to budget constraints!

(Sorry for the possibly stupid question but I really dont understand this so would welcome some help with this).

+3  A: 

"What is the worst that can happen if I use this certificate on the production environment" Security will fail, failing your entire service.

"Why cant I use this certificate on the production environment?"
The Certificate Authority specified in your generated certificate is not known by clients, hence the certificate cannot be validated/used.

"What is the certificate actually going to do in this scenario?" The public key is used by clients to encrypt the communication. This will guarentee that only the owner of the private key (the server in this case) can decrypt it again (private-public keypairs are asymetric encryption)

Hope this helps,

Marvin Smit  2010-03-24 09:30:55
Thanks Marvin, so there are only a known amount of CA's in the world and the certificate must be generated by one of them? How will my WCF service know this is the case? Will the client using a Windows Forms application get an errors or anything? (Just trying to understand what *will* happen in this scenario).
RemotecUk  2010-03-24 09:36:08
The ammount of CA's is not fixed. Anyone could become a CA (in fact, when you use makeCert.exe you are the CA of that certificate). So, which CA's are known? They are installed into your Certificate store as 'being a CA'. This is pre-installed when you install 'Windows OS' for instance. CA's are also 'chaining', i.o.w. CA#1 can say, i trust CA#2 like i trust myself. This allows distribution of the CA's across the world.You can make a cert which is a CA certificate. You'll have to install that certificate on all clients as trusted CA, then you can use your dev cert aswell.
Marvin Smit  2010-03-24 19:22:57
+3  A: 

  1. A certificate needs to be issued by a so-called Certificate Authority to be trusted. Self signed certificates (created by makecert etc) are not trusted, and everybody that will browse to your website will receive an 'Invalid certificate' (more specific: 'The certificate is not trusted because it is self-signed') warning. So, worst case, people won't go to your site, because they don't trust it.

  2. You can use your self signed certificate in production, but it is not advisable for reasons explained above.

  3. The certificate is used to establish a secure connection (HTTPS) between the client and the server. Next to that, it is meant to verify the server's identity. The identity of your server can not be guaranteed if your certificate is self-signed.

  4. In IIS, if you install a certificate in a web site, all WCF services deployed under that web site are able to use the certificate.

In short, use a self-signed certificate for development (look into a tool called SSL Diagnostics for easy certificate generation in IIS), but really do use a production certificate for production!

Eric Eijkelenboom  2010-03-24 09:38:19
+1 for the SSL Diagnostics tip
bob  2010-05-03 10:44:38
+6  A: 

Well, nothing major will happen if you use a developer certificate in production environment, after all, a certificate is a certificate and the encryption it provides is the same as any commercial certificate.

However, as the certificate isn't signed by a trusted Certificate Authority, it doesn't guarantee to the client that you is you. Let me put this in another way: if your service were a simple web page the browser would say the certificate is invalid.

A certificate to provide SSL in a web server, is a certificate that tells the client that the domain is a trusted and verified domain, and that the Certificate Authority can vouch for it.

So, a certificate made by makecert.exe would be as like you writing your name in a piece of paper and telling, say an officer of the law, that this your driver's license.

Paulo Santos  2010-03-24 09:39:55
I like the analogy of the driving licence! So when I apply for the certificate the CA will visit my site and somehow prove that my site is legitimate and then issue the certificate?
RemotecUk  2010-03-24 09:44:08
@actually no, it will not visit your site, however, it can vouch because only the administrator of a website can install the certificate.
Paulo Santos  2010-03-24 10:03:45
Got it. But what is to stop me buying a certificate for www.abc.com and then installing it on www.xyz.com? I presume when the browser visits the site it will check that the site name being accessed matches the certificate name?
RemotecUk  2010-03-24 10:24:42
@RemotecUk SSL certificates are issued only to a single DNS name. (or for a wildcard) So the cert of `www.abc.com` won't be valid for `www.xyz.com` (and it even won't be valid for `abc.com` as well)
Regent  2010-03-24 11:02:31

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL