My condition:
- A WCF service which is self-hosted and it's on a Win8 Machine.
- Client is a WPF Program on another machine.
- Then I follow the article on Codeproject about how to set X509 certificate for WCF.
Problem Description:
- Communication between Client and Service was OK when they are on the same Machine.
- When I put the Client on another machine, exception occurs that it says "The caller is not authenticated by the service".
I believe the cause of the exception above may be relevant to X509 Certificate.
When I put the Client.exe on another computer, I just generate a new certificate for client, is it right?
I want to know if the X509 Client certificate should be exported from the service Machine which has generated both client and server certificate, and then be imported into other Client Machine, or just use makecert.exe generate another certificate for other Client Machine?
In short, can the certificate be generated by any machine or only by the machine having generated the service certificate?
1 Answer 1
Public key infrastructure always involves a key PAIR (public and private). When you are authorizing to a WCF service with an x509 certificate you must have the private key and the service you are calling must have the public key (which is inside the x509 certificate). It must be the same pair because only your private key's public key knows how to verify the private key's signature. The two are mathematically connected.
You can export the certificate from the certificate store then import it on the other server (using mmc with the ceriticate snap-in). It is also important that you transfer the certificate in a secure means AND/OR verify the hash of the certificate is correct before installing. If the wrong certificate was installed then someone else could access your service with THEIR private key.