Damir Dobric Posts » Authenticating of the peer by using of X509 certificate

Authenticating of the peer by using of X509 certificate

Damir Dobric Posts

Tags

View more

Next talks:

 

    

Follow me on Twitter: #ddobric



 

 

Archives

Syndication

By using of X509 certificate to authenticate the peer, sometimes one decides to trust any peer, which satisfies the trusted chain. However, sometimes it is necessary to trust explicitly to specific certificate.

 

For example, imagine there is a client which should authenticate some service with x509 certificate. In the first case (trusted chain), the client configuration would look as shown:

 

 

<behaviors>

      <endpointBehaviors>

        <behavior name="ClientCertificateBehavior">

          <clientCredentials>

            <clientCertificate findValue="www.testclient.eu"

                  storeLocation="CurrentUser" storeName="My"                              x509FindType="FindBySubjectName" />

            <serviceCertificate>

            <authentication

                  trustedStoreLocation="CurrentUser"

                  certificateValidationMode="PeerTrust"/>

            </serviceCertificate>

           

          </clientCredentials>

        </behavior>

      </endpointBehaviors>

    </behaviors>

 

The node clientCertificate defines explicitly the certificate to be used by the client. This means the service will uses this certificate to authenticate the client.

In this example (remember case 1.) the node serviceCertificate is more interesting. This node says: “authenticate the service by any x509 certificate, which is trusted in the CurrentUser store”. More about possible values for validation mode can be found here.

The value trustedStoreLocation is used when a service certificate is negotiated to the client. Validation is performed against the Trusted People store in the specified store location. The default is CurrentUser.

 

 

In the second case, one does not want to authenticate the service by any trusted certificate. Instead it is required to authenticate it by specific certificate.

Following behavior shows how to do that.

In this example the node defines specific certificate.

 

<behaviors>

      <endpointBehaviors>

        <behavior name="ClientCertificateBehavior">

          <clientCredentials>

            <clientCertificate findValue="www.testclient.eu"

                  storeLocation="CurrentUser" storeName="My"                              x509FindType="FindBySubjectName" />

            <serviceCertificate>

              <authentication

                  trustedStoreLocation="CurrentUser"

                  certificateValidationMode="PeerTrust"/>

 

              <defaultCertificate

                 findValue='www.testsvc.eu'

                 storeLocation='CurrentUser'

                 storeName='My'

                 x509FindType='FindBySubjectName' />

            </serviceCertificate>

           

          </clientCredentials>

        </behavior>

      </endpointBehaviors>

    </behaviors>

 

 

 

 

Posted Oct 01 2006, 09:47 AM by Damir Dobric
Filed under:

Comments

Thiarley Fontenele wrote re: Authenticating of the peer by using of X509 certificate
on 01-31-2008 22:14

Hi,

If I authenticate the user using peertrust, How can I get his certificate inside the Operation Contract ?

Thanks!

developers.de is a .Net Community Blog powered by daenet GmbH.