In what certificate store should we put server's certificates
Question
Assume system S owns a certificate C . The following quote suggests that if C is to be used by S's service apps to authenticate themselves to clients, then C should be stored in LCS . But if C is to be used by S's client apps to authenticate themselves to a service, then C should be stored inside CUS :
• The local computer store (LCS). This contains the certificates accessed by machine processes, such as ASP.NET. Use this location to store certificates that authenticate the server to clients.
• The current user store (CUS). Interactive applications typically place certificates here for the computer's current user. If you are creating a client application, this is where you typically place certificates that authenticate a user to a service.
But next quote sort of negates the above, since it says if S's service is embedded in an application that runs under a user account, then certificate C should be stored inside CUS
Selecting where to store a certificate depends how and when the service or client runs. The following general rules apply:
• If the service is a Windows service, a service running in "server" mode without any user interface under a Network service account, use the local machine store. Note that administrator privileges are required to install certificates into the local machine store.
• If the service or client is embedded in an application that runs under a user account, then use the current user store.
a) what is meant by service being embedded within an application ? Is a WCF service running within Net. console application or within Asp.Net application considered to be embedded?
b) And why if app ( which embeds WCF service ) runs under the user account ( even if this account has admin priviliges ), should certificate be located in CUS ? Does that mean if it is located within LCS , then S ( aka client app trying to send this certificate to the server ) won't be able to locate certificate?
thank you
1 answers
solution1
2 ACCPTED 2010-11-24 21:08:09
a) A WCF service running within a .NET console application would be considered an "embedded" service according to that description. This is also referred to as a Self-hosted service.
If the service is running within an ASP.Net application, then it depends on what process is hosting the ASP.Net application, but normally that would be considered a service running in "server" mode.
b) In order for a service to authenticate itself to clients, the user under which the service process runs needs access to the private key corresponding to the certificate. The most convenient way to make this happen is to have the certificate (with private key) installed in the certificate store of the user that runs the process.
It is possible for an application running as any arbitrary user to access a certificate and private key stored in the local computer store as long as security permissions on them allow it.
It all boils down to the identity of the running process and whether it has permission to access the private key associated with the desired certificate.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.