Access client certificate properties from WCF Service

4
votes

I am writing a WCF service where I need to access the Hash Code of client certificates that are used to connect to the service.

I am looking for a property or method similar to Request.ClientCertificate from ASP.NET 2.0 days but cannot find anything that allows easy access to the client certificate.

Our service is set up such that it is running with SSL using basicHttpBinding and security mode of "Transport".

IIS has been set up to Require SSL and Accept certificates.

One thing to note is that our server certificate used to secure the endpoint is from a different CA to that of the client certificates - the client certificates are intended to be validated solely through custom code (thus the need to get the hash code of a connecting certificate).

I have created a custom implementation of the IDispatchMessageInspector to see if there is any access to a client certificate from there but to no avail.

Has anyone attempted this and had success before?

2
wcfiiscertificate

2 Answers

4
votes

Looks like what the best option for you would be to implement a custom Certificate Validator for your service. This is basically a class that derives from X509CertificateValidator and is then registered through the config file.

There's more complete information on how to do this on this article.

3
votes

For reference if anyone else attempts to apply client certificate authentication the following steps were required to get it to work (we are using basicHttpBinding within WCF for this instance and running in a local instance of IIS):

  1. Set up IIS to use a HTTPS binding for the site and secure this in IIS with a server certificate
  2. Within IIS change the SSL Settings for your site to Require SSL and Require client certificates (It must be Require - Accept will not work)
  3. Within the WCF configuration ammend the basicHttpBinding and set security mode to "Transport" and the transport clientCredentialType to "Certificate"

Ensure that the root certificate (the one used to create any client certificates) is within the "Trusted Root Cerrtification Authorities" for the Local Computer on which IIS is running.

NOTE If you are in a development environment you may need to generate your own root certificate, the makecert command line application is very useful for this; simply run the following command: makecert -n "CN=My Test Auth" -r -cy authority -a sha1 -sv "My Private Key.pvk" TestAuth.cer

This creates a certificate called TestAuth.cer (which needs to be added to the Computer's "Trusted Root Cerrtification Authorities") and a private key file called "My Private Key.pvk".

Now to generate a client certificate you can run this command: makecert -a sha1 -n "CN=myConnectionCert" -ic "TestAuth.cer" -iv "My Private Key.pvk" -ss My

This created a certificate with a subject of myConnectionCert and adds it to your personal certificate store - when you now access the site (to view the service page for example) IE should prompt you to select the certificate - chose the one you have just created and you should see the service page as normal.