WCF with netTcpBinding and Certificate transport security
Asked Answered
C

2

3

I need to secure a WCF service that uses netTcpBinding and connects directly with a Windows Forms based application. I only need it to be secured at the transport layer.

I'm pretty sure that I have it working locally, i.e. I can run the service locally, and connect to it with the client.

When I try to setup the service so that it is running on a server as opposed to my local machine, I'm having certificate issues. The error log says that the certificate must have a private key that is capable of key exchange and that the process must have access rights for the private key.

I'm using a development certificate created using makecert.

makecert -n "CN=MY COMPANY DEBUG" -pe -sky exchange Debug.cer

I must admit that I'm very new to using certificates. Does anyone have any pointers on how I can fix this, or a better way to use a certificate to add transport security to a WCF service using netTcpBinding?

Thanks.

Closed answered 21/5, 2009 at 14:51 Comment(3)
A couple of questions that may help. What OS is the server running on? How is the service hosted? (IIS/Self hosted) Are you wanting to use the same certificate from your development box on the test server or is this server going to be the real server?Harts
It's self-hosted because client is connecting directly to Windorws Forms App.Decanter
Windows Server. Self hosted. It's not the real server, just a development server for internal testing.Closed
B
6

Try this:

makecert -n "CN=MY COMPANY DEBUG" -pe -sky exchange Debug.cer -sv Debug.pvk
pvk2pfx -pvk Debug.pvk -spc Debug.cer -pfx Debug.pfx

You will then end up with three files, the .cer file (public key), the .pvk (private key), and the .pfx (key exchange with both). You can then install the .pfx file on the server like so:

certutil -p "" -importPFX Certificates\Debug.pfx

At the client end, you only need to install the .cer file. These installs (.cer and .pfx above) you can also do through the Certificates MMC snap-in (Start, Run, MMC.exe, then add the Certificates snap-in for the current machine).

Baobaobab answered 21/5, 2009 at 15:1 Comment(3)
I tried this and got the same error. How can I ensure that the process has access rights?Closed
In the Certificates snap-in, you should be able to see your certificate under both Personal and Trusted People if the communication is on the same machine. Can you see it in both places?Baobaobab
Should this be in the localmachine store? I have a feeling that I may be barking up the wrong tree with using these certs. I need to do more research on how they work, as I'm quite new to them.Closed
D
0

Read this (covers https case but still may help) and this.

Since we are talking about transport-level security, I don't think your server process should know anything about certificate you are using to provide it.

Decanter answered 21/5, 2009 at 15:0 Comment(2)
But don't I have to specify a certificate when using certificate based transport security for the service?Closed
On the server side you have to associate it with port you are using for SSL. On the client, you import the certificate to Trusted people store to indicate you are ready to communicate sensitive data to whoever identifies himself with this certificate.Decanter

© 2022 - 2024 — McMap. All rights reserved.