Click here to Skip to main content
15,884,425 members
Search within:


Wcf message level security with IIS self-signed certificate
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
IIS
WCF
certificate
Dears,
I have a WCF service hosted on IIS, and I created a self-signed certificate on IIS.
What to do next to secure the service using Message Level security and that IIS certificate?

And how should I configure the client that will consume that secured service? (knowing that the client is on another machine and not on the same server as the service)

I read many articles on the internet, but they either use Trasport Level security, or create self-signed certificate using makecert command outside IIS.
Also, almost all examples implement both the service and its consuming client on the same machine, so I got confused about certificate creation and referencing it in configuration files.

Any help is appreciated. Thanks

What I have tried:

I used this article to create the certificate on IIS and to configure the service (in web.config), but I couldn't implement the client as they did, because they are working on the same machine i guess.

message security in wcf | security certificate[^]
Posted
Add a Solution
Comments
F-ES Sitecore 18-Sep-19 6:02am    
Is this just for internal testing? Self-signed certs are really only for local testing, you can't use them properly, you need to get an actual signed cert that can be verified by the client.
nina4ever 18-Sep-19 6:24am    
The service will only be called by a web page that we created. That web page is accessible from the internet by users, but the service is on an internal server and will not be publicly accessed. So self-signed certificate is sufficient in our case as I read in many articles.
F-ES Sitecore 18-Sep-19 6:28am    
If the web page is hosted by you internally and calls the service also hosted by you internally then you don't really need https at all. If any of this is going over the internet then a self-signed cert is never good enough.

Self-signed certs are only placeholders for when you want to test a service using https without needing a proper cert, nothing else.
nina4ever 18-Sep-19 7:01am    
Yes the web page and the service are communicating internally. But the web page itself is exposed to the internet. My boss requested that we encrypt communication between the service and the page, and I have no experience in security issues to discuss possible threats. What do you think i should do?
F-ES Sitecore 18-Sep-19 7:26am    
You have two connections here...the client to the web page and the web page to the service. https is mainly needed for communications over public networks like the internet. So the connection between the web page and the client should be https. If the connection between the webpage and the service doesn't go over the internet then it doesn't really need https as you can assume your internal communications are safe from snoopers.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
WCF Settings in IIS having certificate
Need WCF Transport level and message level security saple code
How to apply the security without certificate in wcf 4.0
WCF: Message Level Encryption over Https?
WCF Security Error: The client certificate is not provided.
Difference between Message and Transport level security in WCF
WCF certificate authentication
Why does my self-signed certificate uninstall when I reboot
Message signing in wcf using x509 certificate
WCF Message Based Security

Advertise
Privacy
Cookies
Terms of Use
Last Updated 18 Sep 2019
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900