How to create own certificates (root, IIS, client) and set up appropriate architecture

We developed a system with WCF services as backend and WPF clients as frontend. There is one IIS server with WCF services on Windows Server 2012 and multiple WPF clients on Windows 10. Everything is inside a VPN network and the server is accessible through an IP address.

We would like to set up our security so that :

  • IIS server would use my own certificate for TLS connection,
  • every client would have to authenticate itself with a client certificate and username/password.

This was our plan:

  • create a root certificate for this project,
  • use root certificate to generate a certificate for the IIS server,
  • use root certificate to generate client certificates,
  • deploy root certificate to every client and one client certificate for every client,
  • set up WCF security to:
    • use TLS protocol only (i guess <security mode=”TransportWithMessageCredential”>),
    • clients should authenticate with username and password, for this we use <message clientCredentialType=”UserName” establishSecurityContext=”false” /> and a custom UserNamePasswordValidator class,
    • clients should authenticate with a client certificate also (i guess <transport clientCredentialType=”Certificate” />)?

I’m wondering if there is something we’ve forgotten? Should the server also check serial numbers of client certificates? Does anyone have some useful links (how to create certificates for this scenario, how to set up IIS…?

submitted by /u/user0872832891
[link] [comments]

Leave a Reply