Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Developer certificate vs purchased certificate for WCF

Tags:

certificate

ssl

x509certificate

wcf

I understsand that if I want to use authentication in WCF then I need to install a certificate on my server which WCF will use to encrypt data passing between my server and client.

For development purposes I believe I can use the makecert.exe util. to make a development certificate.

What is the worst that can happen if I use this certificate on the production environment?

and...

Why cant I use this certificate on the production environment?

and ...

What is the certificate actually going to do in this scenario?

[Edit: Added another question]

finally...

In a scenario where the website has a certificate installed to provide HTTPS support can the same certificate be used for the WCF services as well?

Note on my application: Its a NetTCP client and server service. The users will log in using the same username and password which they use for the website which is passed in clear text. I would be happy to pass the u/n + p/w in cleartext to WCF but this isnt allowed by the framework and a certificate must be in place. However, I dont want to buy an certificate due to budget constraints!

(Sorry for the possibly stupid question but I really dont understand this so would welcome some help with this).

like image 574
Remotec Avatar asked Mar 24 '10 09:03

Remotec

2 Answers

Well, nothing major will happen if you use a developer certificate in production environment, after all, a certificate is a certificate and the encryption it provides is the same as any commercial certificate.

However, as the certificate isn't signed by a trusted Certificate Authority, it doesn't guarantee to the client that you is you. Let me put this in another way: if your service were a simple web page the browser would say the certificate is invalid.

A certificate to provide SSL in a web server, is a certificate that tells the client that the domain is a trusted and verified domain, and that the Certificate Authority can vouch for it.

So, a certificate made by makecert.exe would be as like you writing your name in a piece of paper and telling, say an officer of the law, that this your driver's license.

like image 182
Paulo Santos Avatar answered Sep 19 '22 00:09

Paulo Santos

  1. A certificate needs to be issued by a so-called Certificate Authority to be trusted. Self signed certificates (created by makecert etc) are not trusted, and everybody that will browse to your website will receive an 'Invalid certificate' (more specific: 'The certificate is not trusted because it is self-signed') warning. So, worst case, people won't go to your site, because they don't trust it.

  2. You can use your self signed certificate in production, but it is not advisable for reasons explained above.

  3. The certificate is used to establish a secure connection (HTTPS) between the client and the server. Next to that, it is meant to verify the server's identity. The identity of your server can not be guaranteed if your certificate is self-signed.

  4. In IIS, if you install a certificate in a web site, all WCF services deployed under that web site are able to use the certificate.

In short, use a self-signed certificate for development (look into a tool called SSL Diagnostics for easy certificate generation in IIS), but really do use a production certificate for production!

like image 23
Eric Eijkelenboom Avatar answered Sep 21 '22 00:09

Eric Eijkelenboom
Sign in to Comment

Related questions

WCF and Interface Inheritance - Is this a terrible thing to do?
In-process communication design with WCF (.NET)
Is this code thread-safe? How can I make it thread-safe?
What steps do I need to take to convert from a class library to a WCF?
The protocol 'net.tcp' is not supported
How to detect user agent in WCF web service
What is the fastest way to send large binary file from one pc to another pc over the Internet?
Time zone mess using WCF
Solve WCF Error: Metadata publishing for this service is currently disabled
WCF security, username password without certificate
What is the bindingConfiguration attribute responsible for in a BasicHttpBinding endpoint config?
How to generate a wsdl file of a wcf service library project?
should I wrap all my WCF service code in a try catch block?
WCF service reaching high memory usage on first call
How Can I Host A WCF App In IIS?
WCF Error "Found multiple X.509 certificates using search criteria"
Can I force svcutil.exe to generate data contracts for a WCF service?
"Best" way to communicate between .NET 1.1 and .NET 3.5
Dependency injection with multiple repositories
What is the use of spring.net?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!