In general: (warning... it has been years since I have done this... I may be
fuzzy).
You will need to install certificate services on your server. Then, you
will need to make sure that your client trusts the certificates issued by
your server's certificate authority. Then, you will need to set up your web
service to require client certificates. Your client will have to generate a
public key and send it to the server. The server will embed it in a
certificate, sign it, and return it to the client to become your client
cert. Your app will have to make sure to select the correct client cert
when calling the web service (there could very well be more than one client
cert on the client machine).
In specifics: I haven't tried this. I couldn't tell you the calls needed to
make it work.
This is a bit complicated. It also doesn't appear to buy you much. If you
are trying to make sure that the client has a license to use your service
before calling the service, this could potentially work. It is unclear if
this is what you are trying to do and if it is, why you would need to
automate it. Certificates are rarely if ever issued to machines. They are
issued to people. Your app concept appears to issue the cert to a machine.
What is your intent in this interaction? What specific threat scenario are
you trying to mitigate?
--
--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik
Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
