views:

98

answers:

0

Hello, i've created a WCF service that should be consumed outside my domain, so i decided to use WSHttpBinding with Certificate authentification and message Security.

I created a self signed certificate named "Test And Dev Root Authority" using makecert and with it I signed other two certificates using mthe same tool like this

makecert -pe -n "CN=WcfServiceServer" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test And Dev Root Authority" -is my -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 WcfServiceServer.cer
makecert -pe -n "CN=WcfServiceClient" -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "Test And Dev Root Authority" -is my -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 WcfServiceClient.cer

on my pc with mmc i added the 3 certificates to trusted people and trusted root certification authorities on the local machine account.

i called up the wcf service in IE and it was displayed correctly. i created a test app on another computer and added the service as a reference to it. I exported WcfServiceClient with the secret key and imported it on the current account on the second machine and added it to the trusted folders mentioned above.

my app.config section for the wcf section in the client app looks like this:

<client>
            <endpoint address="http://otherpc/WcfTest/Service.svc"
                binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IServices"
                contract="WcfTest.IServices" name="WSHttpBinding_IServices" behaviorConfiguration="CustomBehavior">
              <identity>
                <dns value="WcfServiceServer" />
              </identity>
            </endpoint>
        </client>
      <behaviors>
        <endpointBehaviors>
          <behavior name="CustomBehavior">
            <clientCredentials>
              <clientCertificate findValue="WcfServiceClient" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="My" />
              <serviceCertificate>
                <authentication certificateValidationMode="PeerTrust"/>
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
    </system.serviceModel>

when i wanted to test the app on the second computer it failed because it said that the certificate WcfServiceServer was not in the trusted peoples folder. I didn't expect that error. The only solution i found, in order to consume the service from the test app, was to export the WcfServiceServer certificate also and install it on the second machine and add it for the current user acoount in the trusted people zone.

Is it possible to avoid giving to the client the WCFServiceServer certificate, just the WcfServiceClient certificate and make the app acces the service correctly?

My second question is: in a production enviroment i should buy a SSL certificate and with it generate the other two certificate(one for service and one for client) like above and pass them to client/server side fallowing the steps described above?

thank you in advance. i'm a total noob in WCF