Reputation: 87
Windows Identity Foundation WCF Service Certificates
I have recently setup a WCF service against an STS using WIF, I am trying to understand the certificates needed and what they affect, I have a certificate against IIS allowing HTTPS communication but in the STS configuration there is a reference to two more certificates. e.g.
<appSettings>
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value="CN=DefaultApplicationCertificate"/>
</appSettings>
In the MSDN documentation(http://msdn.microsoft.com/en-us/library/ee748498.aspx) it states
The STS uses a default certificate to sign the tokens it issues. This cert is named “STSTestCert” and it is added to your certificate store automatically for use by the STS. The certificate file is present in the STS project. The password for the file is “STSTest”. This should not be used in a production exercise. You can replace the default certificate with any other certificate
My question is what are the Signing Certificate and Encrypting Certificate used for and what would be suitable certificates for a public facing service? Do I need 3 different ones?
Upvotes: 2
Views: 875
Answers (1)
Reputation: 46753
The claims that WIF is built around are delivered via tokens.
Each token is signed to prove that it came from the expected STS.
AFAIK, there is no way to remove the signed component of a token (which makes sense as otherwise any third party could generate them and "pretend" that they came from the STS).
These tokens can also be encrypted. If you were running across https, the whole message would be encrypted with the IIS certificate and the token would itself be encrypted again with the WIF encrypting certificate. The token encryption is optional. When you use FedUtil, one of the questions is "Do you want token encryption?". If you say "No", it is not encrypted. If you say "Yes", it is encrypted and you are then asked for the certificate.
If you wanted, you could use the same certificate for both token encryption and signing. From a security perspective, it makes sense to use two.
So the "most secure" solution would use three certificates.
You get the certificates in the normal manner from a trusted issuer.
Upvotes: 3
Related Questions
- WIF (Windows Identity Foundation) with SAML 2.0
- WCF service certificate authentication
- How to avoid the service certificate?
- wcf security token service on https
- WCF service reference with certificate authentication
- SSL certificate for WCF service hosted on windows service
- Certificates, Encryption, And Authentication
- Windows identity foundation claims access from wcf service
- Windows Identity Foundation + WCF (Federated scenario)
- WCF, Security and Certificates