I need to provide mutual authentication using TLS protocol in my server-client communication. Now under development, client and server run on the same machine. My colleague created one certificate (.pfx file) for me. As it is a two-way authenticate, server and client have to authenticate each other.
This thread Mutual authentication in SSL/TLS discussed in which certificate store a certificate should be located on server side or client side. Now I am confused, as I only have one certificate, I dont know whether it is a client certificate or a server certificate, Can I use one certificate for both, if so where should I locate this certificate for both server and client ?
Thank you for your help !
You can use certificate for both ways, however what's the problem to generate standalone certificate (even self-signed) for client authentication?
Related
We have a client that has their own PKI infrastructure and assigns private certs to use as SSL client authentication for application access to their rest APIs.
I need to be able to use a client cert with SslStream and not have it choke that it is not trusted. Users will not be educated enough to know how to add CA certs to their local trusted cert store. Plus, most would not have the access to do so either.
The client application is being written in .Net 4.6.1
What do I need to do to get SslStream not to throw an exception with an locally untrusted client certificate?
Have you looked at the constructor that accepts a certificate validation callback method? https://msdn.microsoft.com/en-us/library/ms145057(v=vs.110).aspx Seems like that's what you are asking to do.
I am required to create a two way mutual handshake between a desktop client and WCF Service. I am using a Let's Encrypt Server Certificate on my Server but open to use Self Signed Certificate as well.
I wish to generate a Client Certificate and install it on the client's machine after successful authentication via OTP. The idea is to authenticate/authorize the desktop app for further communication with the server.
After few of my research I found that OpenSSL.Net enable to create certificates.
From my .net client code, is there a way to obtain details about an SSL certificate being used by a WCF service? Assuming I can already connect successfully over SSL to the service.
I am hoping to report the expiration date of the server certificate on a dashboard. If the certificate has been updated / renewed since the last time the client communicated with the service, I'm trying to detect that as well.
Let's also assume the server cert is a real public cert from godaddy etc. i.e. the cert would not have been explicitly imported into the client store already.
Any thoughts? I was thinking I might find somewhere in System.ServiceModel.ClientBase that I could find this after opening a connection but haven't found anything yet.
Thanks!
Easiest way would probably be to just implement a certificate validation callback on the client so that you can have a chance to look at the SSL certificate provided by the server before it is trusted by the client:
http://msdn.microsoft.com/en-us/library/aa702579(v=vs.110).aspx
I'm using a Winforms client to connect to a WCF service hosted in IIS. The Winforms application will be available to customers to download and install on their computers. The customers have to login to the application using their username/passwords. I want a secure HTTPS enabled communication between the client application and the WCF. What is the best practice to provide such a functionality? Should I use client certificates or just a server certificate? Any input is much appreciated.
Thanks.
You have to have a server certificate.
If you want stronger authentication you can use client certificates. There is an administration of certificates overhead and potentially other costs to that though: Using certificates from a provider, generating them yourself, maintaining list of revocations and so on.
As you already authenticate the user with password, client certificate authentication is not needed. To ensure the communication is secured use a self-signed server certificate. In case if the clients needs to verify that they are connecting to the correct server then you need to get a signed certificate from a third party CA like verisign which could cost you atleast 100$.
In the same way as IE handles the client certificate authentication procedure, I would like to do the same from an installed .Net client app that connects to our web server which has been setup for requiring client certificates.
I know how to open the Select Certificate UI allowing the user to select a client certificate from a list of those that are installed, and then add the certificate to the outgoing HttpWebRequest.
What I can figure out is:
How to determine when a client certificate is required by the server. It's not in the HttpResponse. The status code is 403 but I can't read the substatus.
How to then filter the client certificates in the UI to list only those that are valid based on the server certificate (issued by?).
Thanks in advance.