WCF - Is a service certificate needed to authenticate clients?

Question

I think there's a gap in my mental model of WCF authentication, hoping someone can help me fill it in.

So, I'm creating a WCF service and would like to have clients authenticate using certificates, and message-level security. I'd like the service to validate these using chain trust so that I don't need each client cert installed on the service. For now, I'm not interested in having the service authenticate to the client.

Here's my understanding of what's needed to do this:

1. The client needs a certificate signed by a CA that's trusted on the service side.
2. The service needs a CRL installed for that CA.
3. The service config should have message security turned on, specify clientCredentialType="Certificate", and chain trust for client certificate validation.
4. The client config should have message security turned on, specify clientCredentialType="Certificate", and an endpoint behavior that tells how to find the client certificate in the store.

The client makes a request to the service, sending its certificate. The service sees that the client's cert is signed by its trusted CA and lets the request through.

Now, all of the walkthroughs of this process I've found also include a step of creating a certificate for the service. None of them explain what this is for, which is throwing me. Why is a service certificate needed if I just want to authenticate the clients?

Answer 1

You are right. In theory no server certificate is required, in practice wcf enforce you to use one. The good news is that you should use a dummy certificate for the server and also set ProtectionLevel to SignOnly. I suggest to read this article which talks on a similar scenario and mostly relevant.