Groups | Blog | Home
all groups > dotnet web services enhancements > may 2007 >

dotnet web services enhancements : WSE 3.0 - How to issue Digital Certificates to Client Applications



MarkH
5/24/2007 12:48:02 AM
I was doing some research into using X509 certificates to implement message
level security and watched the MSDN .NET Nugget session on the topic, I could
see how to install the certificates that came with WSE 3.0 (for dev purposes)
which is fine, the problem I have (relating to certificate issuing and
client app deployment) is as follows:

1) In a real world situation you would not want your users having to mess
about with .PFX or .CER certificate files and you certainly don’t want them
to have to install them using the MMC snap in for the certificate store
before they can use your application so how do you interact with the
certificate store programmatically?

2) How do you pass the servers public key to the client app and how do you
get it into the users certificate store?

Could you include the .CER file with the application installer and install
it into the certificate store (in code) when you install the application with
a custom Install class?
I assume you can use a certificate for the server like one you would use in
a standard SSL scenario?

3) How do you generate the client certificate (there could be hundreds or
even thousands of clients)

4) Once you have generated a client certificate how do you get it on to the
users machine and installed into the users certificate store?

Any help much appreciated.

Mark Baldwin
6/6/2007 10:30:10 PM
I too would like to know the answers to these questions!

I am new to WSE3.0 but may be able to help you a bit...

Installing certificates on the users machine can be done by sending them a
password encrypted .pfx file, one for the server certificate and another for
the client. They then double click on it and follow the import wizard
instructions. Of course you have sent the .pfx file password seperately. Not
ideal by any means, they will also have to select which certificate store to
install the certificate which is different for both the client and server
certificates.

Are you sure you need thousands of client certificates? What I am doing and
I don't know if this is the best way, but I just use the client/service
certificates to secure the link to the server. Identifing the client is done
by them logging in, in a normal way, sending a username/password which
authenticates them. Since the entire link from client machine to server is
encrypted you don't have to worry about sending passwords over the link
(unlike SSL where the client data is sent over the LAN unencrypted before
being encrypted for sending out of the building).

There is alot of information at
http://msdn2.microsoft.com/en-us/library/aa480545.aspx
--
Best regards
Mark

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about dotnet web services enhancements
AddThis Social Bookmark Button
View Other Months
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn