Deploying certificates for wse 3.0 web services

Hot Topic

Just a pair of questions
Interop Thread Leak?
Regex Help
Visual Studio 2003.net Databases Connection not working
How to set SOAPUser
Interop Timeout
8 byte Guid’s with .NET
Acessing serial port
Best/fastest way to save a large DataTable a database?
WebException: The underlying connection was closed

.NET Development

407 Status when accessing a web service through a proxy
How do I connect to MySQL from Visual Basic 2005?
how to add a space after each four character in string
how to not include base class in shema
WebService RPC/Encoded
Why am I getting OutOfMemory Exceptions???
Exception: DataTable internal index is corrupted: '5'. on ...
InfoTip Help!
.Net Framework 3.0 imcompatibility...
Add or change attribute to a property in runtime, is it possible ?

Deploying certificates for wse 3.0 web services

Hi everyone

I was wondering if someone could help. We have an app and web services that we have built, the web services are secured using WSE 3.0 with certificate based authentication. Whilst everything has been developed we have been using test certificates but now we are getting close to the deployment stage.

I have been trying to look for some information on how to use certificate based security in a production enviroment, but really can't find a great deal. I have been speaking to verisign to get a certificate that can be used but when it comes to deploying that certificate my mind is hitting a brick wall. Also this application will be deployed via click once.

Can anyone help or has already used WSE 3.0 certificate security in production smart client enviroment.

any help would be much appreciated.

Thanks in advance.

Dan

Answer this question

Deploying certificates for wse 3.0 web services

  • Hammer2

    Hi guys sorry to ask for more help, we now have our certificates from Thawte, but I'm still pulling my hair out here cos I'm not sure of the best way of getting the private key down to the clients (the client machines are not in our control they are just customers). I can put the certificate into the installation but that will require the password to be put into the code and this surely can't be the best way.

    Thanks again

    Dan

  • SolarWind

    I assume simply telling the clients the cert password and prompting for it at install time is not an option

    You're really missing the main benefits of PKI and certificates by using a shared private key. The ideal thing to do generate a unique private key on each client...

  • Bala_SSRS

    Hi, yeah some information about the bootstrapper would be great.

    Also do you know if I am right in thinking that if we get a proper certificate from a verified authority like Verisign, that we only need to deploy that certifcate with the application, and we do not need a private key certificate. Currently we have a private key for the client and the servers public key deployed for the application in the test environment.

    many thanks

    Dan

  • prasad_8104

    I have the same exact problem as the last post. I am providing my client application certificates using a local certificate authority.

    The client application installs the cert fine but can not connect to the web service until I register the client cert into the service policy (I'm using mutualCertificate11Security).

    Is there a way to filter accepted client certificates but issuer rather than by user

  • ramesha_ks

    Hi Daniel,

    It really depends on what your scenario is. If your client is going to sign the message in a MutualCertificate scenario, then yes, the client will need the private key. If this is a UsernameForCertificate scenario, then all you need is the server's public key deployed on the client and have the server's private key at the server.

    If you are doing Kerberos, then you wouldn't need certificates at all.

    Does this make things a little clearer I believe there is information about certificates in the WSE docs on MSDN - let me know if you need help finding this link.

    Thanks,

    Sidd

  • SnowyT

    Hi Sidd

    Thanks for the reply, I have gone through all the documentation I can find on certificates to do with WSE. Right now the policy for the projects are set to sign and encrypt, if we do require the private key to be placed on the client what would be the best mechanisim for installing it would it be using the bootstrapper that Andrew mentioned

    Thanks for your help

    Dan

  • Gabriel Vila

    Hi

    Telling the clients the password is pretty much the decision I came to. But unless I'm missing something this seems like would be a fairly stamdard implementation for people. I have found quite a few people on the internet asking the same question. Surely if I generate private key certificates on the clients they will not be trusted certificates.

  • Nassa

    These are all interesting questions. Let me try and answer one that I think was brought up regarding bootstrapping the certificates:

    Typically, for a policy like anonymousForCertificate, you don't need access to the service's private key on the client. All you need is the server's public key. However, even exchanging that seems to require some work. In WCF, there is a way that to do this via TLSNego, where WS-Trust is used to mimic an SSL style of exchange - with the result ending up to be a symmetric key that both parties have agreed upon.

    WSE 3.0 unfortunately doesn't implement TLSNego, but it woudn't be impossible to do so using the extensibility points.

    The other issue around getting the certificate (with the private key) to the client is a certificate provisioning issue that is really outside the scope of the product. The only real way is through some sort of distribution where the client does end up with an X.509 that has its private key, that is indeed trusted by the server.

    I don't know if I'm capturing all the questions above, so if there are some that i missed, please let me know.

    Thanks,
    Sidd

  • HumbleServant

    You can make a bootstrapper for the click-once application, in the bootstrapper, you can install the certificate to client machine.

    offcourse, Administrative permission is needed to run bootstrapper. but the bootstrapper is only needed to be run at the first time.

    If you think the bootstrapper solution meet your requirements, i can help u.

  • EtherealSky

    Daniel Hawkins wrote:
    Surely if I generate private key certificates on the clients they will not be trusted certificates.

    Correct. I'm in the middle of this decision process myself. We have an internal Certificate Authority, and the plan is to sign the client's cert before they can use the service. This adds some delays to user creation, but it eliminates the need for sending any sort of shared secret (the private key in your case) over the wire to the client. Since this is custom SOA software for a small business client, I'm hoping that extra work will be okay. In return, we get a cert that authenticates the specific user, and we can leverage that for signing and encryption of data.

    The one mystery so far is whether it's possible to add a certificate to the proxy class using policy when the identity of the cert is not known at design time. I haven't been able to figure that out, so we're adding the cert in code (RequestSoapContext.Security.Tokens.Add) instead.

  • Sarah21

    Hi,

    I have the same problem at the moment. Unfortunately, like you i can't find a shred of information on how to get it solved. Any help would be appreciated.
  • Deploying certificates for wse 3.0 web services
Answer this question