Good day!

I will try to briefly describe the essence of the issue. There are three servers of customers, for each of them there is a service written in C # using WCF (although I don’t think this is very important). The customer must prepare SSL certificates and install them on the server. The service successfully works with a self-signed certificate.

A letter came from the customer with a question with the following text: "What parameters should the certificate have, what container should they be placed in? Can it be one certificate with several SNIs?"

  1. In general, as far as I understand, they just have to give us the host name and the port to configure the service, and how much will they install the certificates should worry us a little?
  2. As for SNI, I think it is generally possible to do one certificate with three SNIs, but it will be safer if it is three network certificates. Is this true?
  3. Are the certificate parameters important to me?
  4. Ask about the container. Maybe I misunderstand these are the types of files in which the certificate should be? In theory, it is not important to me, because I do not work with the files themselves.

I am not a security specialist and I am afraid that it will not be possible to quickly prepare an answer to a customer’s question, and under the contract they must prepare everything themselves, without our participation. But at the same time, I don’t want the service we prepared to start because of the certificates.

    1 answer 1

    It can be seen that specialists from both sides (both you and the customer) have a weak understanding of SSL certificates, the question in general is about them and has little to do with WCF.

    If you answer in brief.

    Containers. There are three types of containers:

    certificate stores

    If the service is a Windows service, a service running in server mode without any user interface on behalf of the network service account, use the local computer storage.

    Further. With the parameters of the certificate to make a mess of something extremely difficult. There are two options: either buy certificates for each host from a commercial office of the Thatwe type (for the site subdomain1.mycompany.ru, subdomain2.mycompany.ru and subdomain3.mycompany.ru), or use their own CA (Active Directory, server1.mydomain, server2 .mydomain and server3.mydomain).

    Both in this and in the other case it is very difficult to select such certificate parameters so that WCF "does not take off." Ask for "a pack of ordinary powder", a regular certificate (for official responses between organizations: "no special requirements are imposed on the parameters of the certificate"). The main thing - let them check the entire chain of trust to root certificates.

    About SNI. Then someone poorly understands the technology. Google and enlighten. SNI is needed when you need to deploy three different sites on the same IP. You said "three servers" (read as "three different IP addresses"), SNI does not play any role. Therefore, you can answer "no difference" or "yes, maybe - but this is completely optional, as long as you do not host all N instances on the same machine." And even in the case of a single server, you can use both N certificates and one with multiple SNIs.

    And the last. Do you really care what the URLs for the service will be? Take out the endpoint settings in app.config and let them both want and customize each instance. They will register <endpoint address="https://msk-srv-01.mycompany.tld:8084/url and let them prepare a certificate for this address (in the configs, the certificate parameters are not specified).