WCF Certificates without Certificate Store

Question

My team is developing a number of WPF plug-ins for a 3rd party thick client application. The WPF plug-ins use WCF to consume web services published by a number of TIBCO services. The thick client application maintains a separate central data store and uses a proprietary API to access the data store. The thick client and WPF plug-ins are due to be deployed onto 10,000 workstations. Our customer wants to keep the certificate used by the thick client in the central data store so that they don't need to worry about re-issuing the certificate (current re-issue cycle takes about 3 months) and also have the opportunity to authorise the use of the certificate. The proposed architecture offers a form of shared secret / authentication between the central data store and the TIBCO services.

Whilst I don’t necessarily agree with the proposed architecture our team is not able to change it and must work with what’s been provided.

Basically our client wants us to build into our WPF plug-ins a mechanism which retrieves the certificate from the central data store (which will be allowed or denied based on roles in that data store) into memory then use the certificate for creating the SSL connection to the TIBCO services. No use of the local machine's certificate store is allowed and the in memory version is to be discarded at the end of each session.

So the question is does anyone know if it is possible to pass an in-memory certificate to a WCF (.NET 3.5) service for SSL transport level encryption?

Note: I had asked a similar question (here) but have since deleted it and re-asked it with more information.

Answer 1

It is possible. We do something similar with Mutual Certificate Auth - the service certificate and in some cases the client certificate are picked up from a central authority as part of an auto-discovery/single-sign-on mechanism.

It's not entirely clear in what context the certificate will be used, but in all cases what you need to do is define your own behavior and behavior element deriving from the particular behavior/element in the System.ServiceModel.Description namespace that takes the certificate. I'll assume for the time being that it's a client credential. First you have to write the behaviour, which goes something like this:

public class MyCredentials : ClientCredentials
{
    public override void ApplyClientBehavior(ServiceEndpoint endpoint,
        ClientRuntime behavior)
    {
        // Assuming GetCertificateFromNetwork retrieves from CDS
        ClientCertificate.Certificate = GetCertificateFromNetwork();
    }

    protected override ClientCredentials CloneCore()
    {
        // ...
    }
}

Now you need to create an element that can go in the XML configuration:

public class MyCredentialsExtensionElement : ClientCredentialsElement
{
    protected override object CreateBehavior()
    {
        return new MyCredentials();
    }

    public override Type BehaviorType
    {
        get { return typeof(MyCredentials); }
    }

    // Snip other overrides like Properties
}

After this you can add the policy to your WCF config:

<behaviors>
    <endpointBehaviors>
        <behavior name="MyEndpointBehavior">
            <myCredentials/>
        </behavior>
    </endpointBehaviors>
</behaviors>

Edit: Almost forgot to mention, you need to register the extension:

<system.serviceModel>
    <extensions>
        <behaviorExtensions>
            <add name="myCredentials"
                 type="MyAssembly.MyCredentialsExtensionElement, MyAssembly,
                       Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
        </behaviorExtensions>
    </extensions>
</system.serviceModel>

Hope that helps. If you need more details on the arrangement of all of these classes and what's going on behind the scenes, try reading Extending WCF with Custom Behaviors.