views:

1495

answers:

2

I need to secure a WCF service that uses netTcpBinding and connects directly with a Windows Forms based application. I only need it to be secured at the transport layer.

I'm pretty sure that I have it working locally, i.e. I can run the service locally, and connect to it with the client.

When I try to setup the service so that it is running on a server as opposed to my local machine, I'm having certificate issues. The error log says that the certificate must have a private key that is capable of key exchange and that the process must have access rights for the private key.

I'm using a development certificate created using makecert.

makecert -n "CN=MY COMPANY DEBUG" -pe -sky exchange Debug.cer

I must admit that I'm very new to using certificates. Does anyone have any pointers on how I can fix this, or a better way to use a certificate to add transport security to a WCF service using netTcpBinding?

Thanks.

A: 

Read this (covers https case but still may help) and this.

Since we are talking about transport-level security, I don't think your server process should know anything about certificate you are using to provide it.

Dmitry Ornatsky
But don't I have to specify a certificate when using certificate based transport security for the service?
80bower
On the server side you have to associate it with port you are using for SSL.On the client, you import the certificate to Trusted people store to indicate you are ready to communicate sensitive data to whoever identifies himself with this certificate.
Dmitry Ornatsky
+3  A: 

Try this:

makecert -n "CN=MY COMPANY DEBUG" -pe -sky exchange Debug.cer -sv Debug.pvk
pvk2pfx -pvk Debug.pvk -spc Debug.cer -pfx Debug.pfx

You will then end up with three files, the .cer file (public key), the .pvk (private key), and the .pfx (key exchange with both). You can then install the .pfx file on the server like so:

certutil -p "" -importPFX Certificates\Debug.pfx

At the client end, you only need to install the .cer file. These installs (.cer and .pfx above) you can also do through the Certificates MMC snap-in (Start, Run, MMC.exe, then add the Certificates snap-in for the current machine).

David M
I tried this and got the same error. How can I ensure that the process has access rights?
80bower
In the Certificates snap-in, you should be able to see your certificate under both Personal and Trusted People if the communication is on the same machine. Can you see it in both places?
David M
Should this be in the localmachine store? I have a feeling that I may be barking up the wrong tree with using these certs. I need to do more research on how they work, as I'm quite new to them.
80bower