WCF NetTCP传输绑定的客户端证书 [英] Client Certificate for WCF NetTCP Transport binding
问题描述
我们有使用NetTCP运行的自托管WCF服务:传输:WindowsClientCredentialType
We have selfhosted WCF services running using NetTCP:Transport:WindowsClientCredentialType
// Set Binding Security.
netTcpBinding.Security.Mode = SecurityMode.Transport;
netTcpBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows;
netTcpBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
我们现在需要将这些服务暴露给我们自己以外的域,但想继续使用IIS 。因此,我试图将我们切换到ClientCredentialType的Certificate。
We now need to expose these services to domains outside our own but want to continue selfhosting and not use IIS. Thus I am trying to switch us to a ClientCredentialType of Certificate.
// Set Binding Security.
netTcpBinding.Security.Mode = SecurityMode.Transport;
netTcpBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
netTcpBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
我之前设置了一个开发环境(很久以前),在这里我们使用MakeCert生成一个dummy证书用于与WCF的开发目的。但是我们从Verisign购买了一个证书。我现在有什么需要发生有点模糊。我可以看到我们使用这个证书验证我们的服务给客户,但我们如何验证我们的.NET客户端与证书?我们使用相同的证书吗?我们必须在安装客户端期间安装此证书吗?位包裹在这里的轴,可以使用一个可以解释如果有人可以帮助。
I have previously setup a development environment (long ago) where we used MakeCert to generate a "dummy" certificate for development purposes with WCF. But we have since purchased a certificate from Verisign. I am a bit fuzzy on what needs to happen now. I can see us using this certificate to validate our Services to the Client, but how do we validate our .NET client with certificate? Do we use the same certificate? Do we have to install this certificate during install of our client? Bit wrapped around the axle here and could use a could explaining if anyone can help out.
推荐答案
不会在客户端上使用私钥安装证书。你不能把你的私钥给任何人 - 一旦它被危害你的安全已经走了!问题是客户端证书必须有一个私钥,但该私钥必须只由该单个客户端拥有。这意味着每个客户端有另一个证书。
No you will not install your certificate with private key on your clients. You mustn't give your private key to anybody - once it is compromised your security has gone! The problem is that client certificate must have a private key as well but that private key must be owned only by that single client. That means another certificate per client.
它通常如何实现?由本地证书颁发机构向您的客户颁发证书。您的服务将信任该权威,因此所有客户持有您的权威颁发的证书。这是唯一的情况下获得这个控制,否则你需要找到另一种机制来验证你的客户端。
How is it usually implemented? By local certificate authority issuing certificates to your clients. Your service will trust that authority and so all clients holding certificates issued by your authority. That is the only scenario to get this under control otherwise you need to find another mechanism to authenticate your clients.
这篇关于WCF NetTCP传输绑定的客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
