WCF and Client Certificates

RockLobster · 20 Nov 2014 at 21:59

I've been reading this article about client certs and WCF - http://notgartner.wordpress.com/200...on-with-windows-communication-foundation-wcf/

I understand this article but I'm not sure about this bit: -

Truth be told, this isn’t exactly how it would work in a fully fledged production scenario.

What would actually happen is that the server and client would validate each others identity by following a chain of trust associated with each certificate to a root certification authority which they both trusted (although it might be a different CA for each certificate as Windows can trust multiple). Over the Internet this might be a public one like VeriSign, or it could be a root CA inside the enterprise

We have a root CA inside the enterprise. Does this mean for a client to call a WCF service hosted on a server the client needs to install a trusted root authority?

peterwalkley · 20 Nov 2014 at 22:17

Both sides need to be able to walk up the chain of certificates to the trusted root.

If you are self signing certificates the clients will need to add your root CA to their trust stores.

RockLobster · 20 Nov 2014 at 22:43

Thanks for the reply. So let me get this clear, if a client wants to consume the wcf service they need to be given a certificate from the CA root authority which needs to be installed on the client. And the fact this cert has been issued by the CA this is trusted by the server? Also the root ca needs to be added to the trust stores?

peterwalkley · 20 Nov 2014 at 22:51

Yes, that's pretty much it. The critical thing is both sides need to find a shared root CA they both trust.

It depends on the client, but usually the likes of verisign, thawte and so on will already be in the trust stores.

marc2003 · 20 Nov 2014 at 23:01

depending on how machines are deployed across your enterprise, it might already have the root CA pre-installed?? a bit much to hope for but you never know.