Client Certificate for WCF NetTCP Transport binding

Question

We have selfhosted WCF services running using NetTCP:Transport:WindowsClientCredentialType

        // Set Binding Security.
        netTcpBinding.Security.Mode = SecurityMode.Transport;
        netTcpBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows;
        netTcpBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;

We now need to expose these services to domains outside our own but want to continue selfhosting and not use IIS. Thus I am trying to switch us to a ClientCredentialType of Certificate.

        // Set Binding Security.
        netTcpBinding.Security.Mode = SecurityMode.Transport;
        netTcpBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
        netTcpBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;

I have previously setup a development environment (long ago) where we used MakeCert to generate a "dummy" certificate for development purposes with WCF. But we have since purchased a certificate from Verisign. I am a bit fuzzy on what needs to happen now. I can see us using this certificate to validate our Services to the Client, but how do we validate our .NET client with certificate? Do we use the same certificate? Do we have to install this certificate during install of our client? Bit wrapped around the axle here and could use a could explaining if anyone can help out.

Answer 1

No you will not install your certificate with private key on your clients. You mustn't give your private key to anybody - once it is compromised your security has gone! The problem is that client certificate must have a private key as well but that private key must be owned only by that single client. That means another certificate per client.

How is it usually implemented? By local certificate authority issuing certificates to your clients. Your service will trust that authority and so all clients holding certificates issued by your authority. That is the only scenario to get this under control otherwise you need to find another mechanism to authenticate your clients.