WCF Security - Certificates

Question

I have a question about WCF security. I don't have a specific problem but more of a general question.

If i create a WCF service and its protected using certificates, does every client that uses that service need to have the corresponding client certificate?

For instance if I have a Winforms client application that talks to the WCF service (which uses certificates), does the client have to have that matching client cert? - or can the client communicate without having the certificate installed?

Thanks.

Answer 1

You might be confusing server certificates with client certificates. It's not clear which you mean when you say the service is "protected by certificates". Both server and client certificates can "protect" a service, though in different ways - a server certificate by encrypting communications, client certificates by restricting service only to authorised clients.

A setup using only a server certificate is similar to any website served over HTTPS - only the server has a certificate "installed" (meaning it has the certificate's private key). Although the clients don't have their own certificates, the server transmits its own certificate to them and they can verify the server's identity with it, assuming they trust the authority that signed the certificate. Additionally, once server identity is established, the certificate provides the basis for encrypting the session between client and server.

So far in this story, there's been no client authentication: although the clients know they're talking to the server they intend (thanks to the server certificate), and all communication is encrypted, there's no way for the server to validate the identity of clients connecting to it. Client certificates are one way of performing client authentication; a more familiar alternative is usernames and passwords.

To use client certificates, each client must have a valid certificate and private key, which won't be the same as the server's certificate. Again, the server doesn't necessarily store a local copy of these certificates - they're exchanged during the security handshake.

"Valid" in this context means acceptable as a means of identity to the server, using some established criteria (eg a whitelist of client certificates, or requiring that client certificates be issued by a particular authority). While it's often acceptable for clients simply to trust the chain of certificate authorities up to a trusted root in order to accept a server certificate as valid, there must be some additional restrictions imposed on acceptable client certificates to be useful for authentication - it wouldn't be helpful in most cases to allow any arbitrary client with a trusted certificate to connect to a service configured to authenticate clients using client certificates.

Answer 2

Mr. Frost, let me help you by first stating a short sequence of how certificate works, this is important:

1. A browser (here browser is a client, it can be any other client) requests a secure page (usually https://).

2. The web server sends its public key with its certificate.

3. The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
4. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
6. The web server sends back the requested html document and http data encrypted with the symmetric key.
7. The browser decrypts the http data and html document using the symmetric key and displays the information.

Now what is the difference between a client and a server cert, for this refer the Link

Now answering your question "does the client have to have that matching client cert", yes it does, the concept does not work without that.