tags:

views:

1495

answers:

2
Q: 

WCF with netTcpBinding and Certificate transport security

I need to secure a WCF service that uses netTcpBinding and connects directly with a Windows Forms based application. I only need it to be secured at the transport layer.

I'm pretty sure that I have it working locally, i.e. I can run the service locally, and connect to it with the client.

When I try to setup the service so that it is running on a server as opposed to my local machine, I'm having certificate issues. The error log says that the certificate must have a private key that is capable of key exchange and that the process must have access rights for the private key.

I'm using a development certificate created using makecert. 

makecert -n "CN=MY COMPANY DEBUG" -pe -sky exchange Debug.cer

I must admit that I'm very new to using certificates. Does anyone have any pointers on how I can fix this, or a better way to use a certificate to add transport security to a WCF service using netTcpBinding?

Thanks.

A: 

Read this (covers https case but still may help) and this.

Since we are talking about transport-level security, I don't think your server process should know anything about certificate you are using to provide it.

Dmitry Ornatsky  2009-05-21 15:00:10
But don't I have to specify a certificate when using certificate based transport security for the service?
80bower  2009-05-21 15:08:17
On the server side you have to associate it with port you are using for SSL.On the client, you import the certificate to Trusted people store to indicate you are ready to communicate sensitive data to whoever identifies himself with this certificate.
Dmitry Ornatsky  2009-05-21 17:42:26
+3  A: 

Try this:

makecert -n "CN=MY COMPANY DEBUG" -pe -sky exchange Debug.cer -sv Debug.pvk
pvk2pfx -pvk Debug.pvk -spc Debug.cer -pfx Debug.pfx

You will then end up with three files, the .cer file (public key), the .pvk (private key), and the .pfx (key exchange with both). You can then install the .pfx file on the server like so:

certutil -p "" -importPFX Certificates\Debug.pfx

At the client end, you only need to install the .cer file. These installs (.cer and .pfx above) you can also do through the Certificates MMC snap-in (Start, Run, MMC.exe, then add the Certificates snap-in for the current machine).

David M  2009-05-21 15:01:51
I tried this and got the same error. How can I ensure that the process has access rights?
80bower  2009-05-21 15:28:26
In the Certificates snap-in, you should be able to see your certificate under both Personal and Trusted People if the communication is on the same machine. Can you see it in both places?
David M  2009-05-21 16:28:43
Should this be in the localmachine store? I have a feeling that I may be barking up the wrong tree with using these certs. I need to do more research on how they work, as I'm quite new to them.
80bower  2009-05-21 17:17:28

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability