I am developing a WCF service and Windows forms client and using message security (authenticate with user name, password, and certificate (public and private key) at server, server public key at client). Verified with temporary certificate using makecert.
Now I need to publish my application in GoDaddy.
Can I use the SSL Certificate from GoDaddy for WCF message security (WS-Security) or do we need to buy a different type of certificate?
It is possible, but it means you would have to have the GoDaddy SSL certificate installed on every client. Normally you would not expect the SSL certificate itself to be installed on a client, instead you would have a certificate from somewhere higher in the certificate issuer chain installed and verify the GoDaddy SSL certificate by chaining.
However, if you are able to distribute the GoDaddy cert (minus the private key, obviously) with your client application then you should be able to do it. Certificates generally have Purpose, which is the intended use of them. I imagine your GoDaddy certificate would have an intended use of SSL only, but I don't think that really matters.
Related
I have an ASP.Net app that requires SSL certification in order to connect to a Dynamics NAV instance via SOAP.
I've created a self signed SSL certificate using the New-SelfSignedCertificateEx.ps1 script. The exact command used was:
New-SelfSignedCertificateEx -Subject "CN=<computerHostname>" -IsCA $true -Exportable -StoreLocation LocalMachine -NotAfter $([datetime]::now.AddYears(5))
Afterwards I copied the certificate to Trusted Root Certificates and added the thumbprint in the NAV instance settings, yet every time I try to connect my app to said NAV instance I receive an error stating:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority '<computerHostname>:<NavInstanceSOAPPort>'
A self signed certificate is not a trusted certificate, you need to provide one from a trusted authority
Try Let's Encrypt, ZeroSSL, FreeSSL or any party you like, they will offer you free 90-day certificate good enough for your tests
I want to use same SSL certificate in multiple servers, which type of SSL certificate should I use? Unified SSL certificate? or Wildcard SSL certificate?
Thanks
Any certificate can be installed on multiple servers but your question requires more information on how you want to be advised.
A wildcard SSL certificate will secure any subdomain that the Wildcard character is on. So if you have a certificate for *.domain.com then you can secure
secure.domain.com
bob.domain.com
charlie.domain.com
and the list can go on, however it won't work for sub.secure.domain.com as the wildcard only does the single level.
A unified certificate, depending on the provider would only give you 3 subdomains.
mail, owa and autodiscover.domain.com
Also a standard certificate you can generally add SAN's too which will allow you to add subdomains under extra costs, but if you are only looking to secure 2 subdomains then a certificate with 1 SAN would be cheaper in most cases than a wildcard.
Give us an example of what you are trying to do and people can probably advise you better.
Securing Multiple Servers With One SSL Certificate
To move your certificate between servers you will need to install the certificate on the same web server that you generated the CSR from. You can then export the SSL certificate and its private key to a PKCS#12 file, or if it is an non-Windows based server you will be able to copy the key and certificate files.
Click HERE for more details:
Wildcard SSL Certificates allow you to secure multiple sub domains on the same domain name, thereby saving you time and money, and of course you do not need to manage multiple SSL Certificates on the same server.
I am facing the following issue.
1 - I have deployed WCF service with SSL enabled on remote IIS machine and trying to use it from my web client.The problem is my browser is not allowing this service to be called.Before using my web client i have to hit the service url from my browser directly and then allow the certificate.
2- Got suggestion from somewhere to export the certificate on the machine where WCF is deployed and include that certificate file in Trusted certificates group on my machine.After I did that I got same problem when tried to access web service from web client.So I hit the service url from browser and got the same page which needs me to trust the certificate with a different message that "You attempted to reach 111.121.196.226(ip address of the WCF machine), but instead you actually reached a server identifying itself as "WMSvc-domain" where "WMSvc-domain" is the value of "Issued To" field in the certificate.
I hope I have made myself clear.Waiting for suggestions.Thank you.
WMSvc-machinename is the IIS Windows Management Service which runs by default on 8172/tcp and is used for remotely managing iis. When installed the default is to create a self-signed certificate. That wouldn't trusted. It could be replaced with a "proper" CA signed cert through the Management Service icon in IIS Manager.
I am trying to use SSL and certificates with a web service (IIS 7, Windows 2008, .NET framework 3.5 SP1). I followed the basic instructions (http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/) and was able to get the site running soon. However, I can only connect to it from a client if the client has the web server's certificate in its Trusted Root Certification Authorities/Certificates store. If I don't add the certificate on the client site, I get the error "Could not establish trust relationship for the SSL/TLS secure channel with authority" on trying to connect to the service from client.
That's the correct behavior if you're just using self-signed test certificates. In a public/production environment, your server's certificate would be issued by a common CA like GoDaddy or VeriSign, which you have to pay to obtain.
Most (client) machines already have a large list of updated CA in their trusted root such as GoDaddy, and so a server certificate signed by them for your site will validate as a valid certificate on most* machines (without you needing to provide your cert as a trusted root).
*Most, meaning that there are browsers & operating systems which may be missing (or need updates) on common certificate authorities in their trusted root store.
Where did you get this certificate? If it's not a child of one of the certificates in the root authority already I sure hope you didn't pay money for it. If you're generating them yourself this isn't surprising because nobody trusts your CA server.
I have some dedicated servers running ASP.NET applications over internet. All servers are fully trusted (all belongs to the same company) and need to communicate to each other in a secure way. They are not part of a domain or work group and should not be.
Each server acts as both client and server of some WCF services. These services are few (1-2 per server) and light (a little data is transferred on each call).
I can use self-signed SSL certificates or X509. I'm looking for some way to make sure nobody from internet can call a WCF service on a server. New server would be added in the future.
I read about WCF but now I'm confused, is it good idea to use self-signed SSL certificates or not (non self-signed is not an option at the moment), which binding to use, which security mode to use, which authentication method to use...
I need some hints to start (please provide a link to a sample.
I would use a certificate-based authentication where both client and server are authenticated.
To make things more secure, do not use self sign certificates.
If your company already have a certificate server: issue certificates to each of your server and specify as an authentication configuration that both client and services need to present a certificate issued by your certificate server.
WCF security is a big topic, but there are some other non-WCF specific ways you can secure the service:
Use IP SEC to secure the communication channel
Use IP whitelists to grant / deny access to the port that the WCF endpoints operate on
Use a VPN Solution (particularly convenient if your company already has a site to site VPN)