Https for transport in WCF

Question

What is the best way to implement https security for transport without a certificate? Should I just for instance use basicHttpBinding with SecurityMode to Transport and ClientCredentialType to HttpClientCredentialType? I did it in a way described but then when accessing WSDL I have a ceritificate warning.

Answer 1

You cannot. HTTPS is just HTTP tunneled inside of SSL/TLS and SSL/TLS requires the use of a certificate on the server side. If this is for testing, or only use by clients that you control, you can choose to do one of these options in place of paying for a CA-issued certificate.

• Use a self-signed certificate. In order for this to work without your client getting a warning, you would need to import the certificate into the clients' trust store (usually part of the browser).

• Use a certificate issued by a Certificate Authority (CA) that you control and have that CA's issuing certificate (or root) imported/trusted by all of your clients. This is mos useful if you have multiple servers in your environment and you need all of the clients in your environment to trust them.

If you need external clients to connect to your servers without doing any import/trust on the clients, you will need to procure a certificate from a globally-recognized CA like Verisign.

Answer 2

If you want to encrypt the contents of the messages, as well as HTTPs transport security, a further option you can consider is to use message security. This encrypts just the content of the message and not the transport channel. A potential benefit of this is that the message can be secured passing through intermediate systems, whereas HTTPs is point to point

This will require an X509 certificate on the server, which as with https certificates you can either self-sign or get from a CA like Verisign

Answer 3

I don't think you can have https without a certificate. It can be a self-created one, but then the client needs to explicitly install it in its trusted store.