Re: WCF endpoint certificate identity
- From: "Tiago Halm" <thalm@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 6 Oct 2008 21:34:05 -0700
When web services have certificates involved and are used at the message level (versus transport) I believe the update process would be to re-send the WSDL to the client (when the keys have changed). I don't see any other way of letting the client know of the change. Automating this procedure would require the client to automate the process of reading the WSDL, but then again the service would need to publish the WSDL (not recommended due to security sensitivity).
The service owner and client owner need to agree on a compromise that leaves both parties confortable.
Tiago Halm
"Larry" <adcoder@xxxxxxxxxxxxxxxx> wrote in message news:%238MAY1CKJHA.4324@xxxxxxxxxxxxxxxxxxxxxxx
It doesn't quite get me what I need. Any idea where I can find any documentation on what this value is and how its generated? Some documentation says that "This element specifies a Base64-encoded X.509 certificate value to compare with the client." but then also says that "This element restricts authentication to a single certificate based upon its thumbprint value." So if anything changes that affects the thumbprint, this value will have to be regenerated (quotes taken from http://msdn.microsoft.com/en-us/library/ms733130.aspx).
I also run a pretty good chance that the customer(s) may want to use their own certificate anyways, so I'll need a good way of updating this encodedValue (outside of my dev environment). Any other thoughts on how this can be done? Its got to be pretty common to have to change this value since certificates expire, company processes require updating of certificates/key pairs or other other update problems. Is there any documented procedure for doing this?
"Tiago Halm" <thalm@xxxxxxxxxxxxxxxxxx> wrote in message news:2B8CF6E4-B702-46AB-B539-1F6C6910EB1E@xxxxxxxxxxxxxxxxLarry,
See here, see if it helps to generate the value (haven't checked):
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=597530&SiteID=1
Tiago Halm
"Larry" <adcoder@xxxxxxxxxxxxxxxx> wrote in message news:upp5uYxIJHA.4896@xxxxxxxxxxxxxxxxxxxxxxxThere is more to this encoded value than just the public key. As I mentioned previously, the encoded value begins with AwAAAAEAAAAUAAAARF and doesn't have until later in the value MIIE (the start of the public key). It kind of looks like it starts with an encoded thumbprint or signature. I see though that I won't have to change this value unless a new key pair is needed.
Thanks for your help!
"Tiago Halm" <thalm@xxxxxxxxxxxxxxxxxx> wrote in message news:%23t5W0WrIJHA.4600@xxxxxxxxxxxxxxxxxxxxxxxThe encoded value is the public key of the X.509 certificate. The client
uses this public key to encrypt a given message, which the private key owner
(the web service) is able to decrypt.
When the web service owner decides to change the certfificate, this change
will (eventually) involve a change in the public key which will be reflected
in the WSDL. The client should be able to update the reference (re-process
the WSDL) when the certificate changes.
I suspect, but may be wrong, that you may renew the certificate while
maintaining the private/public key pair.
Tiago Halm
"Larry" <adcoder@xxxxxxxxxxxxxxxx> wrote in message
news:uhMmAdqIJHA.456@xxxxxxxxxxxxxxxxxxxxxxx
Sorry about the miss submission.
Like I said, I'm using WCF with my web service calls and use wsHttpBinding
with certificates and set with message encryption. When I create my
service reference, I end up getting an entry something like this in the
<client /> section of the web.config:
<endpoint address="http://<my service address>"
binding="wsHttpBinding" behaviorConfiguration="certConfig"
bindingConfiguration="wsHttpBindingConfig"
contract="<my contract>" name="wsHttpBindingConfig">
<identity>
<certificate encodedValue="<AwAAAAEAAAAUAAAARFl...MIIE...< more of a long
encoded string>" />
</identity>
</endpoint>
The encodedValue in the certificate node is automatically generated for me
when I add the reference (comes from the Svcutil). I'd like to be able to
replace this value when certs are updated. What is this value made up
from and how can I programmatically update it (using c#)? It looks like
it has more than the base64 encoded value of the certificate.
I tried something like this:
byte[] bytes = myCert.Export(X509ContentType.SerializedCert);
string base64Cert = Convert.ToBase64String(bytes);
which did not come out the same as what's in the encodedValue. What am I
missing here? Any suggestions would be greatly appreciated!
Larry
"Larry" <none> wrote in message
news:OETSPlpIJHA.1160@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
I use WCF with my web service calls and all of the communication is
secured with certificates. When I create my service reference, an
endpoint gets created with the correct information. It includes an entry
like this:
.
- References:
- Re: WCF endpoint certificate identity
- From: Tiago Halm
- Re: WCF endpoint certificate identity
- From: Larry
- Re: WCF endpoint certificate identity
- Prev by Date: Re: dllhost flake here and there to 100% CPU utilization.
- Next by Date: Re: Turn off Auto Generated WSDL, so I can use my static custom wsdl
- Previous by thread: Re: WCF endpoint certificate identity
- Next by thread: RE: Service Client Receives "Bad Request (Invalid Header Name)" Respon
- Index(es):
Relevant Pages
|
