tags:

views:

63

answers:

1
Q: 

Preventing Duplication of the x509 Certificate Used on a WCF Client?

I have a WPF and WCF app that requires to install the certificate (.pfx) on the client side to enable WPF calling the WCF service.

Now how can I prevent the client to export the certificate from his certificate store (so that he won't be able to grab the .pfx file and install it on another client computer)?

+1  A: 

Generate Certs for WCF

  1. Generate a Certificate Authority Cert

makecert -r -pe -n "CN=MyCA" -ss my -sr localMachine MyRootPublicCert.cer

-r Create a self signed -pe Mark generated private key as exportable -ss Subjects certificate store names that stores the output certificate -sr Subjects certificate store location

The file pops up in the personal certs store of the machine you generate the cert from.

This is the file you will need to import into your server/client as a trusted root authority (rt click on the .cer file you created and install certificate, put it into Trusted root certification authorities)

  1. Generate Server Cert

You need to export the cert with the private key inside in order to use it on the server, so from the machine you created the CA cert on open mmc, certificates add-on, Personal, click on cert, >> rt click >> all tasks >> export >> select yes, export the private key >> select .PFX >> choose a password >> name this file something like NamePrivateKeyCert.pfx

Install this cert into the Personal Store of the server machine and use it to host the service.

  1. Create Client Cert

Create server certificate from CA machine. This will generate a cert file with the private key embedded:

makecert -a sha1 -n "CN=ClientCert" -sky exchange -pe -ss My -sr LocalMachine -in "TestCA" -is my -ir localMachine TestPublicCert.cer

Take this cer file and install it on the client machine in the Trusted People store

  1. Recap

    Create a CA cert (or use the one you already have if you purchased one) From the CA export a .pfx file that is password protected (Private Cert) Create a Public Cert from the CA cert (Public Cert)

    Then

    Install the CA CA.cer into the Trusted Root Cert Authorities store on Client and Server Install the Private.pfx file into the Personal store of the server Install the Public.cer into the trusted people store of the client

    Ready to go.

MetalLemon  2010-08-05 06:06:31
sorry.. but can please clarify in more details?
 2010-08-05 07:06:32
which part is causing confusion?
MetalLemon  2010-08-05 08:41:16
so weird.. when i logged in an hour ago I could only see this as ur answer:--------------------------------------Generate Certs for WCF1.Generate a Certificate Authority Cert-----------------------------------------
 2010-08-05 10:22:48

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability