How can I send a password along with my certificate (X.509) in a WCF Service?

Question

I have a WCF Service that uses a X.509 certificate as client credentials. Most of these credentials do not require a password for using it, just for installing it.

But now, a client of ours has a certificate that requires a password to be entered every time it's used (ie. every time the service is running). This service calls another service n times a day, but fails if the certificate cannot be validated.

Until now we have asked our clients to order (and pay for) a new certificate every time we've had this problem, but both me and our clients are tired of going through this every time. I have not made the service myself, and don't have much any experience with WCF and services.

What I would like to know is: Is it possible to enter this password into our configuration file along with all the other information about the certificate?

Here is a part of the XML configuration for the service:

<configuration>
  <system.serviceModel>
    <client>
      <endpoint
        address="***"
        binding="basicHttpBinding"
        bindingConfiguration="***"
        behaviorConfiguration="HTTPSEndpoint"
        contract="***"
        name="***" />
    </client>
    <bindings>
      <basicHttpBinding>
        <binding
          name="***"
          sendTimeout="00:05:00"
          maxBufferSize="2147483647"
          maxReceivedMessageSize="2147483647" >
          <readerQuotas maxStringContentLength="2147483647" />
          <security mode="Transport">
            <transport clientCredentialType="Certificate" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name ="HTTPSEndpoint">
          <clientCredentials>
            <clientCertificate
              findValue="***"
              storeLocation="LocalMachine"
              storeName="My"
              x509FindType="FindBySubjectName"/>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

Answer 1

The requirement to enter a password when retrieving the certificate from the certificate store on the client machine is because the certificate was imported with the "Enable strong private key protection" option checked:

This is often set as part of standard server-hardening processes. It is intended for situations where the certificate authenticates a user with a remote system while the user is in attendance.

Since the password prompt is due to the certificate import process, and is not an intrinsic property of the certificates, purchasing new certificates will not change anything.

I know of no way to programmatically pass the password to the certificate store when retrieving it. However, if you think about it, even if you were successful you'd have to secure the said password somehow. You might encrypt the password to your .config file, but now you have to store the encryption key. And so on... Somewhere there will be a loose-end that makes "strong private key protection" pointless.

Basically, your client can't have it both ways: they can't "enable strong private key protection", and expect to not have to enter a password each time the client certificate is required. Much better that they store the certificate correctly.

For an unattended client service, the most secure method for storing a client certificate is as follows:

1. Run your client service under a specific account that has a cryptographically strong password.
2. Remove the certificate from the LocalMachine store. Certificates installed in the LocalMachine store are accessible to any account running on the machine.
3. Install the certificate in the CurrentUser store of the client service account. This will mean that the certificate is accessible only to the client service account. When the certificate is installed, be sure to uncheck the "Enable strong private key protection" option.