IIS是否进行SSL证书检查或是否必须进行验证？ [英] Does IIS do the SSL certificate check or do I have to verify it?

问题描述

我将IIS设置为仅接受具有SSL证书的客户端连接。我在IIS上运行WCF服务。我在服务器可信CA中有一个证书颁发机构。
现在，当客户端连接到服务时，IIS是否验证客户端证书是否由我的一个受信任的CA颁发？或者我是否必须在我的WCF服务中进行验证？

I have a IIS set up to only accept client connections with a SSL certificate. I have a WCF service running on IIS. I have a Certification Authority in the servers trusted CAs. Now, when a client connects to the service, does IIS validate that the client certificate was issued by one of my trusted CAs? Or do I have to do the validation in my WCF service?

此外，如果我希望服务仅接受来自某个特定CA的连接（并非所有我信任的CA，只有一个），我是否必须在服务代码中进行验证？

Also if I want the service to only accept connections from one particular CA (not all of my trusted CAs, just one) , would I have to do the verification in the service code?

推荐答案

如果您将IIS配置为需要相互HTTPS（带有客户端证书的SSL），则IIS / http.sys负责验证证书和客户端证书必须位于受信任的人员存储区中，或者必须由受信任的CA颁发。在安全握手期间验证证书以建立SSL连接。当IIS用于托管WCF服务时，此验证在WCF之外完成（如果是自托管，您可以使用自定义证书验证）。

If you configured IIS to demand mutual HTTPS (SSL with client certificates) the IIS / http.sys is responsible for validating the certificate and client certificate must be either in trusted people store or it must be issued by trusted CA. The certificate is validated during security handshake for establishing SSL connection. When IIS is used to host WCF service this validation is done outside of WCF (in case of self hosting you can use custom certificate validation).

如果要将服务的访问权限仅限于有限的客户端子集（只有单个CA颁发的证书），则应该将此要求从身份验证（验证证书）移至您的WCF服务中的authorization = 自定义AuthorizationPolicy 将验证证书是否由正确的CA颁发=客户端有权调用您的服务。

If you want to restrict access to the service to only limited subset of clients (with certificates issued by just single CA) you should move this requirement from authentication (validating certificate) to authorization = custom AuthorizationPolicy in your WCF service where you will validate that certificate was issued by correct CA = the client is authorized to call your service.

可以在系统级别配置受信任的颁发者 netsh - 检查 sslctlidentifier 和 sslctlstorename 。此配置对于整个端口（网站）将是全局的，因此如果您在同一端口上托管了多个具有不同要求的Web应用程序或服务，则这将不适合您。

Trusted issuers can be also configured on system level with netsh - check sslctlidentifier and sslctlstorename. This configuration will be global for the whole port (web site) so if you have multiple web applications or services with different requirements hosted on the same port this will not be an option for you.

这篇关于IIS是否进行SSL证书检查或是否必须进行验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！