WCF方案中的自签名证书性能 [英] Self-signed certificates performance in WCF scenarios

问题描述

我读到自签名证书遇到性能问题（例如，这里）但哪些是？我可以猜测这可以与撤销检查或某事，但不确定。

I read that self-signed certificates suffer from performance issues (for example, here) but which ones exactly? I can guess this can be related to revocation checks or something but not sure.

推荐答案

我不同意有关使用由。 com / en-us / library / bfsktky3.aspx> MakeCert.exe 。

I disagree with the article about "performance problems" in using of certificates created by MakeCert.exe.

如果创建的证书中没有包含撤销信息，损失可能是因为撤销。可能唯一特定于使用自签名证书的方法如下：您应该在根证书库（受信任的根证书颁发机构）中包含自签名证书，或者更好地在 AuthRoot 证书库（第三方根证书颁发机构）将使用它的所有计算机上。此后，您的自签名证书将不是更值得作为VeriSign根证书在大多数情况下。因为这种方式只能在一个公司内部使用，并且在具有大量独立客户端计算机的企业场景中很难使用。

If no revocation information will be included in the created certificate then no performance loss can be because of revocation. Probably the only thing which is specific for using of self-signed certificate is following: you should include the self-signing certificate in the Root certificates store (Trusted Root Certification Authorities) or more better in the AuthRoot certificates store (Third-Party Root Certificate Authorities) on all computers which will use it. After this your self-signing certificate will be not more worth as VeriSign root certificate in the most scenarios. Of cause this way is possible only inside of one company and can be difficult used in the enterprise scenarios with a lot of independent client computers.

顺便说一下，针对 MakeCert.exe 实用程序创建一个简单的PKI。例如，您可以创建您的迷你CA的自签名根证书：

By the way it is possible to create a simple PKI with respect of MakeCert.exe utility. For example you can create the self-sign root certificate of your mini CA:

MakeCert.exe -pe -ss MY -a sha1 -cy authority -len 4096 -e 12/31/2020 -r 
             -n "CN=My Company Root Authority,O=My Company,C=DE" MyCompany.cer

那么你可以创建一个额外的子证书。

then you can create an additional child certificate

MakeCert.exe -pe -ss MY -a sha1 -len 2048 -e 12/31/2020 -eku 1.3.6.1.5.5.7.3.2
             -n "CN=My Name,O=My Company" -sky exchange
             -is MY -in "My Company Root Authority"

可以在 eku 切换中选择不同的增强型密钥使用OID取决于您要使用证书的情况。

You can choose different enhanced key usage OIDs in the eku switch depends from the scenarios in which you want use the certificate.

要在 AuthRoot 证书库（第三方根证书颁发机构）中添加您的迷你CA的根证书，我们可以使用例如CertMgr.exe 实用程序

To add the root certificate of your mini CA in the AuthRoot certificate store (Third-Party Root Certificate Authorities) we can use for example CertMgr.exe utility

CertMgr.exe -add -c MyCompany.cer -s -r localMachine AuthRoot

您还可以创建和使用证书吊销列表文件（如果您的方案需要）。

You can also create and use Certificate Revocation List File if it needed for your scenario.

请参阅如何：创建临时证书以供开发期间使用和其他< a href =http://msdn.microsoft.com/en-us/library/ff648902.aspx>如何撰写文章了解更多示例。

See How to: Create Temporary Certificates for Use During Development and other How to Articles for more examples.

这篇关于WCF方案中的自签名证书性能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！