I have followed some tutorials on setting up a WCF web service with security mode “TransportWithMessageCredential” and message clientCredentialType “Certificate”. I didn’t really have any problem setting it up, but something none of the tutorials really explain is how this actually works? How does the server know that the client is actually the correct client? What if somebody gets access to the certificate, can he use the certificate to access the server with some malicious client application?
Share
A certificate with a private key is a form of credentials. It needs to be kept secure in the same way that a username and password needs to be kept secure. If it is obtained by someone that it isn’t intended for then it is compromised and should be revoked and a new certificate issued. Windows (and other platforms) provide secure storage for certificates so they can be kept relatively safely on clients. Still though, the server cannot be sure that the client is the intended one if the certificate is not kept secure.
And often, on Windows, certificates are kept in the user store, which means that any application running under that security principle can access and use the certificate. This means that unless your application runs under its own security principle (say its a Windows service with a specific identity) then it is not possible for the server to identify the client application. Any application that the user runs can access the certificate and use it to authenticate with your service.