Search code examples
wcfwcf-securityx509certificate2

X509Certificate Implementation best practices

Firstly, Thanks to all those patient techies trying to help unknown people.

Secondly, I have a wcf service which should be consumed by only several clients (10) known to our company. This wcf service has the x509certificate "CN=ABCD". Now it expects to receive a certificate in turn from clients to consume this service. So here are the design questions

  1. Should I create one certificate "CN=ABCD" , then right click on it and export as pfx files and distribute them to Clients?
  2. Some say to validate in code and some say to validate in config which is better?
  3. How should I know which client is calling as the certificate has same name for all if my company distributes it?
  4. what is the difference between .cer file and .pfx file?
  5. When passing the certificate to clients, will I be giving both .cer and .pfx files?
  6. How should I be revocing only one client if it expires?
  7. My comapny already has a certificate like *.fdfd.org . Can I use this as my X509Certificate instead of generating one?

Many questions!
But due to lot frustration, I wanted to have the opinion of developers out there because I couldn't get the right info.

Solution
    • NO You must have separate certificate for the service and you should have one certificate for each client. Once you share private key of your service your security has gone.
    • You can either install public keys of client certificates to Machine\Trusted people (client with any trusted certificate will have access to your service) or you can use custom certificate validator (only message security - according to your previous question you probably use message security) to validate really only those 10 certificates.
    • This is only possible if you create separate certificate for each client. It is also possible to combine certificate with supporting user name and password but it requires very advanced WCF configuration and still sharing single certificate among multiple clients is a bad decision.
    • Certificate is just container for some information - keys for asymmetric encryption. .cer contains only public key which can be freely distributed - you will probably have to distribute .cer file of your service's certificate among clients. .pfx contains both public and private key and must be secured as much as possible. Once .pfx file is compromised the certificate is not secured any more and must be replaced. Because of that you must keep your service's .pfx (installed in certificate credential store) and each client must keep his .pfx.
    • If you create certificate for clients you will pass at least .pfx to them. Obviously once you send such certificate by unsecured email you seriously hurt the security.
    • If one client expires you will remove its certificate from trusted certificates. If you have your own certification authority (which you should have if you want to create certificates for clients)
    • If your service sits on fdfd.org you can probably use it but only for the service.