WCF MESSAGE SECURITY
USING CERTIFICATES
By Sandesh Salunke, Team Lead
Hacking might be one of the coolest things to watch on the movie screen. Most of us have, at some point of time, gawked in awe at the hero hacking into a bank server or some evil corporation. But here’s the catch, in real life, security compromises don’t take place in such an extravagant manner. Day-to-day services are attacked that affect businesses and ordinary people, which includes you. Attacks have direct consequences on service integrity, and most importantly monetary and data transactions.

So how do we overcome this problem?

Using Digital ID’s and Certificates. The ID cryptographically attaches client/user identity to a unique Digital Certificate. This is mapped for account verification which enables access control to web applications, servers or remote computers. This process is called authentication.

Windows Communication Foundation (WCF) is one such framework that lays down a channel for exchange of messages from one service point to another. But here comes the conundrum again - How do we successfully ensure security?

Let's Get Started!

We need a valid certificate to authenticate a client and a service. Here, valid means that the certificates should be generated by a Certificate Authority. A certificate authority can be any third party certificate authority [recommended in case of production] or we can create our own certificate authority [DEV STAGE ONLY]. Once we get the Certificate Authority, we need to create different certificates for different components.

Follow the below process to create a certificate authority. I am using “makecert” for creating a certificate authority.

Launch Visual Studio command prompt to use makecert. The name of my certificate authority is “Dev Certification Authority”. Below is the command to create the certificate authority. It will ask to set a password, go ahead and set it. You have to remember this password as we are going to use this at the time of generating the service and the client certificates.

>>makecert -pe -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=Dev Certification Authority" -len 2048 -ss My -sr localmachine -sky exchange
After entering the password, it gave an error. The reason is that I tried to execute it many times so this was already available with me. For that, we need to delete the existing key and try to create a certificate once again. Use the below mentioned two commands to delete a key.

>>DEL SignRoot.pvk

>>DEL SignRoot.cer
Here, I have deleted the existing subject keys. Now, try to execute the certificate creation command again.

>>makecert -pe -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=Dev Certification Authority" -len 2048 -ss My -sr localmachine -sky exchange

It will ask you to enter a password. Enter it and go ahead.
Here, we have created a certificate authority successfully. To verify it, launch Run>>MMC. It will launch the Window MMC as below.
Click File >> Add/Remove Snap-in. It will open the "Add Snap-in" window. Select certificate in the available snap-in list. Click Add >.
Select "Computer Account" and click "Next".
It will open the Console Root as below.
Expand certificates -Local Computer.>> Personal>> Certificates. Then, you can see the certificate which we created using the makecert command.

“Dev Certification Authority”.
Double-click that certificate to see the properties. You can see that this certificate is not trusted. We need to add this certificate in “Trusted Root Certification Authority”.
To do so, copy this certificate and paste in the “Trusted Root Certification Authority” field.
Now, go to Personal>>Certificate and then double-click the certificate. You will see the result as below. Our certificate is valid. That means now our certificate authority is a trusted certificate authority.
Now, let's create certificates for our service and client. My certificate authority will issue me certificates which I will use for authentication in WCF. Here, I have one service and one client. So, I will generate two certificates in my certificate authority.

Launch Visual Studio command prompt and execute the below commands. It will ask us to enter the issuer's password. Enter the password which you have entered at the time of the creation of the certificate authority.

Command for Service,

>>makecert -pe -sk ServerCert -iv SignRoot.pvk -n "CN=ServerCert" -ic signroot.cer ServerCert.cer -sr localmachine -ss My -sky exchange

Command for Client,

>>makecert -pe -sk ClientCert -iv SignRoot.pvk -n "CN=ClientCert" -ic signroot.cer ClientCert.cer -sr localmachine -ss My -sky exchange
Once we have executed this, it will generate certificates in Personal>>Certificates.
Now, we are ready with certificates.

Server Certificate
Client Certificate
Export these certificates

Now, we will export these certificates so that we can import them wherever we are going to use them.

Launch MMC Console, Personal>>Certificates>>Select Certificate>> RightClick on Dev Certificate Authority>>All Task>> Export>> Next.
Click Next>> Browse File to Save>>Next>>Finish.
 
See the saved location for verification.

Now, we will export the Server Cert and Client Cert. But there is one additional thing. I want two different certificates of Server. One is Private key cert and another is Public key. Same for the Client Cert. So, here, I will generate 4 different certificates.I will explain at a later stage why I am creating this.

1. Server Private Key
2. Server Public Key
3. Client Private Key
4. Client Public Key

Right-click on the respective certificate and select the "Export" option and go ahead. In the Certificate Export wizard, it will give an option to export the private key or public key. We will execute it twice as we want a private key as well as a public key.
In the end, we will have 5 certificates.

 
1. Certificate Authority certificate
2. Server Private Key
3. Server Public Key
4. Client Private Key
5. Client Public Key

Now, we want to use these certificates in WCF for message security. For that, we need to create one service and one client. We need two machines. One for running our service and one for running a client.
Certificate related operations to be performed at Server Machine

I need to import the Certificate Authority certificate at the server machine and place it in the “Trusted Root Certificate Authority” folder.

Import Servers Private key & keep a copy of it in Trusted People Folder as well as Personal Folder.

Import Client Public key & keep a copy of it only in Trusted People Folder.

Certificate related operations to be performed at Client Machine

Import Client Private Key and keep a copy of it in the Trusted People folder as well as in Personal folder.

Import Server Public key and keep a copy of it only in the Trusted People folder.

So now, we are done with placing certificates. Its time to use them in WCF service.
WCF Service Config File
Client’s Config File
You need to change binding address according to your machine's IP.

I have attached the source code of service as well as the client in this GitHub repo. Compile it and run it.
WonderBiz Technologies
311 Orion Business Park, G.B. Road, 
Thane, India 400610

WonderBiz Technologies Pvt. Ltd. All Rights Reserved