WCF 新手 - 如何安装和使用 SSL 证书? [英] WCF newbie - how to install and use a SSL certificate?

问题描述

对于以前做过的任何人来说，这应该是一个快照......

This should be a snap for anyone who's done it before...

我正在尝试使用 NetTcpBinding 设置自托管 WCF 服务.我从 Thawte 获得了试用 SSL 证书，并成功将其安装在我的 IIS 商店中，我认为我已经在服务中正确设置了它 - 至少它不会对我造成异常！

I'm trying to set up a self-hosted WCF service using NetTcpBinding. I got a trial SSL certificate from Thawte and successfully installed that in my IIS store, and I think I've got it correctly set up in the service - at least it doesn't exception out on me!

现在，我正在尝试连接客户端(这仍然在我的开发机器上)，它给了我一个错误，Message ="X.509 证书 CN=ssl.mydomain.com, OU=仅用于测试目的.不保证.，OU=IT，O=My Company，L=My Town，S=None，C=IL 建链失败.使用的证书具有无法验证的信任链.更换证书或更改 certificateValidationMode.已处理证书链，但终止于不受信任提供者信任的根证书."

Now, I'm trying to connect the client (this is still all on my dev machine), and it's giving me an error, "Message = "The X.509 certificate CN=ssl.mydomain.com, OU=For Test Purposes Only. No assurances., OU=IT, O=My Company, L=My Town, S=None, C=IL chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

噢噢噢噢……现在呢?

客户端代码(我想在代码中执行此操作，而不是 app.config):

Client code (I want to do this in code, not app.config):

var baseAddress = "localhost";
var factory = new DuplexChannelFactory<IMyWCFService>(new InstanceContext(SiteServer.Instance));
factory.Endpoint.Address = new EndpointAddress("net.tcp://{0}:8000/".Fmt(baseAddress));
var binding = new NetTcpBinding(SecurityMode.Message);
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
factory.Endpoint.Binding = binding;
var u = factory.Credentials.UserName;
u.UserName = userName;
u.Password = password;
return factory.CreateChannel()

增加赏金我刚刚从 Thawte 获得了一个新的试用证书，将其安装为颁发给"设置为 mydomain.com，但我仍然收到上述错误.我是网络安全的新手，所以我需要详细说明如何让客户端连接到我的网站并接受安全证书.(顺便说一句，不保证"是什么意思?)

Added Bounty I've just got myself a new trial certificate from Thawte, installed it with the "issued to" set to mydomain.com, and I'm still getting the error above. I'm a newbie to web security, so I'll need detailed instructions how to get a client to connect to my website and accepting the security certificate. (BTW, what does "No assurances" mean?)

推荐答案

问题好像是你服务器上安装的服务器证书不被客户端信任.

The problem seems to be that the server certificate you have installed on your server is not trusted by the client.

为了使其受信任，服务器证书的根 CA 证书需要位于运行客户端的用户的受信任的根证书颁发机构"存储中.如果您从 Thawte 或其他类似的 CA 获得生产"级别的服务器证书，它将已被世界上大多数机器信任.

For it to be trusted the root CA certificate of the server certificate needs to be in the "Trusted Root Certification Authorities" store of the user running the client. If you get a "production" level server certificate from Thawte or some other similar CA it will already be trusted by most machines in the world.

但是，根据错误消息判断(证书的主题可分辨名称包含OU=仅用于测试目的.无保证.")您的证书是测试证书，因此您需要将 CA 证书添加到您的受信任的根证书颁发机构"手动存储.根证书通常可以从 CA(在您的情况下为 Thawte)网站下载.

However, judging by the error message (where the subject distinguished name of the certificate contains "OU=For Test Purposes Only. No assurances.") your certificate is a test certificate and you therefore need to add the CA certificate to your "Trusted Root Certification Authorities" store manually. The root certificate can usually be downloaded from the CA's (Thawte in your case) website.

这篇关于WCF 新手 - 如何安装和使用 SSL 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！