-2

There is a server with WCF client, which periodically initiates communications over internet with many WCF services installed on our clients computers. WCF services and WCF clients are hosted in Windows Service, current binding is basicHttpBinding.

Communication has to be over https with mutual authentication. Company ordered SSL certificate but it is not clear if this certificate can be installed on clients computers (because WCF service is there) without exposing a private key. Binding can be basicHttpBinding or wcHttpBinding with transport or message security but using certificates.

Is it possible to install service-side certificate on client computers and client-side certificate on our server? Should this architecture be re-worked so WCF service is on our server or it is possible to secure somehow this current solution?

B G
  • 1
  • 2
  • 3
    You got already a very good answer by [asking exactly the same question on stackoverflow](http://stackoverflow.com/questions/37736735/ssl-server-side-certificate-on-client-computer) which effectively gives the same answer you got here, i.e. don't fiddle around but use a proper PKI structure. It is not a nice behavior just to move away if you don't like the answer and ask somewhere else again without even trying to rework the question to fit your problem better. – Steffen Ullrich Jun 10 '16 at 15:00
  • By asking the question 2 times I got 2 similar but not the same answers which helped me to understand this better. If I knew it I wouldn't ask. – B G Jun 10 '16 at 16:19
  • 2
    @user6431152 its very poor form to cross-post – Little Code Jun 10 '16 at 16:22
  • 1
    Please do not cross post on SE. – schroeder Jun 10 '16 at 17:31
  • 1
    I'm voting to close this question as off-topic because it is cross posted here: http://stackoverflow.com/questions/37736735/ssl-server-side-certificate-on-client-computer – schroeder Jun 10 '16 at 17:32

1 Answers1

0

It sounds like you need to build some Public Key Infrastructure (PKI) into your enterprise. I'm assuming the WCF server and the client machines are internal, meaning that you can use internally signed certificates using your own Certificate Authority (CA).

Once you've set up your "root CA" for the enterprise, you can create intermediary CAs to handle different aspects of your business, such as the WCF communications, user authentication, or anything else that supports it. The certificates for the intermediary CAs can be signed by the root CA, and then any certificates your intermediaries sign and issue (the ones for the client workstations for example) will be valid within your network.

Desthro
  • 1,007
  • 5
  • 5