Configuring WSDAPI Applications to Use a Secure Channel
Other versions of this page are also available for the following:
.gif "A hyphen indicates that the information in this topic is not relevant for this platform, or that the platform does not support the API that is listed.")
.gif "A checkmark indicates that the information in this topic is relevant for this platform, and that any API listed is also supported on this platform.")
8/28/2008
Applies to Windows Embedded CE 6.0 R2
A WSDAPI client application or device host relies on other components of the network protocol stack to provide a secure channel, typically by using public key certificates. WSDAPI does not manage certificates, bind certificates to a port, or validate certificates. You must manage those certificates, and in general you manage them the same way you would manage them on a Web client or Web server.
Certificates for Client Applications
To create a secure channel, the client computer that hosts the WSDAPI client application must trust the certificate installed on the DPWS-compliant device.
In order for a client to authenticate to a device host, the following statements must be true:
- An appropriate and valid X.509 certificate must be installed in the local machine store on the client computer. This certificate is used for authentication.
- The client application must be granted access to the private key of the certificate.
Certificates are also required for eventing using a secure channel. The client computer must have a server certificate installed. The server certificate is used by the event sink. The event source on the device host must trust the server certificate used by the event sink. By default, the event sink on the client computer receives event notifications on port 5358. The HTTP Server API must be used to configure port 5358 with the server certificate for the event sink.
It is possible to specify a port other than 5358 for secure communications. You can specify this port when calling WSDCreateDeviceProxy or WSDCreateDeviceProxyAdvanced.
Authentication of the device sending the event is done after the secure channel is established. Therefore, it is not necessary to request a client certificate for accepting events or for the certificate to be trusted
Certificates for Device Hosts
If a device host uses the WSDAPI hosting feature to implement a device that has a secure channel, then the appropriate and valid X.509 certificate must be installed on the computer. The certificate chain must extend to a root authority that the client trusts.
It is possible to specify a port other than 5358 for the secure channel. You can specify this port when calling WSDCreateDeviceHost or WSDCreateDeviceHostAdvanced. If no port is specified, the system uses port 443 for the secure channel.
If the device host is used for eventing, and the event sink requires authentication of the event source, then the event sink must trust the certificate installed on the device host.
See Also
Concepts
WSDAPI Client Application and Device Host Development
WSDAPI Supported Functionality
Using WSDAPI with a Secure Channel
Web Server Authentication and Permissions
SSL Support