WCF - Service Certificate with User Name Validation

Question

Can any one explain me, what exactly the role of Service Certificate and what exactly it does in this Combination (Message Security - Client: UserName Validator, Server: Ser

Answer 1

Service certificate is used as key artifact to establish secure channel between client and server.

• When client starts communication with server it first validates that certificate is trusted (it must be either installed in clients certification store or it must be issued by the authority the client trusts to). This validation should ensure that client communicates with the right server it trust to.

My understanding of using service certificate for securing messages is:

• The client creates derived key used to encrypt and sign the request message with symmetric security. Service will need the same key to decrypt the message and validate the signature so the client must pass the key within the message. The key is encrypted with service's public key passed in the certificate because only holder of the private key (the server) can decrypt this derived key and then decrypt the request message itself.
• The service uses decrypted derived key to encrypt and sign the response message and pass it back to the client. The client remembers its derived key used to send the request so he can also decrypt the response.
• The same process is used for the next exchange but client creates a new derived key for each request.

User name and password are only data passed in the message used on the server to validate that user can use the service.