I think there is a gap in my WCF mental authentication model, hoping someone can help me fill it out.
So, I am creating a WCF service and want clients to authenticate using certificates and message-level security. I would like the service to verify them with a trust in the network so that I do not need every client certificate installed in the service. So far, I'm not interested in client service authentication.
Here is my understanding of what is needed for this:
- A client needs a certificate signed by a CA that is trusted on the service side.
- The service needs the CRL installed for this CA.
- The service configuration should include message protection, specify clientCredentialType = "Certificate", and trust the chain to verify the client certificate.
- The client configuration should include message protection, specify clientCredentialType = "Certificate" and endpoint behavior that tells how to find the client certificate in the store.
The client sends a request to the service by sending its certificate. The service sees that the client certificate is signed by a trusted CA and passes the request.
Now all the step-by-step instructions of this process that I have found also include the step of creating a certificate for the service. None of them explain what it is for, what is leaving me. Why is a service certificate needed if I just want to authenticate clients?
certificate wcf client-certificates
user1454265
source share