WCF邮件使用安全证书 - [英] WCF Message security using certificates -

问题描述

我想创建一个使用消息模式安全使用证书的WCF服务。当我运行服务code，无论是在IIS和卡西尼我碰到下面的信息

  

这是可能的证书   CN = TempCA'可能没有一个私钥   其能够密钥交换或的   过程可能没有对访问权限   私钥

我创建使用下列命令证书

  makecert -nCN = TempCA-r -sv TempCA.pvk TempCA.cer -sky交易所-pe
makecert -sk SignedByCA -IV TempCA.pvk -nCN = SignedByCA-ic TempCA.cer SignedByCA.cer -sr LOCALMACHINE -ss我
 

在TempCA.cer已导入到受信任的根证书颁发机构\证书和SignedByCA.cer进入个人\证书<​​/ P>

然后我跑到下面的命令

  pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer
 

和进口TempCA.pfx进入个人\证书<​​/ P>

服务配置文件如下（从MSDN教程采取修改后用于我的项目）

 ＆LT; system.serviceModel＆GT;
    ＆LT;服务＆GT;
      ＆LT;服务名称=Service.Service1behaviorConfiguration =wsHttpEnpointBinding＆GT;
        ＆LT;端点地址=HTTP：//本地主机：5372 / Service1.svc绑定=的wsHttpBinding
         bindingConfiguration =wsHttpEndpointBindingNAME =wsHttpEndpoint
         合同=Service.Contracts.IService1/＆GT;
      ＆LT; /服务＆GT;
    ＆LT; /服务＆GT;
    ＆LT;行为＆GT;
      ＆LT; serviceBehaviors＆GT;
        ＆LT;行为NAME =wsHttpEnpointBinding＆GT;
          ＆LT; serviceDebug includeExceptionDetailInFaults =真/＆GT;
          ＆LT; serviceMetadata httpGetEnabled =真/＆GT;
          ＆LT; serviceCredentials＆GT;
            ＆LT;！ - 在服务器上的证书存储路径 - ＆GT;
            ＆LT; serviceCertificate findValue =TempCAx509FindType =FindBySubjectName的StoreLocation =LOCALMACHINESTORENAME =我/＆GT;
            ＆LT; issuedTokenAuthentication allowUntrustedRsaIssuers =真/＆GT;
            ＆LT;！ - 证书存储路径中的客户端 - ＆GT;
            ＆LT; clientCertificate＆GT;
              ＆LT;证书findValue =TempCAx509FindType =FindBySubjectName的StoreLocation =LOCALMACHINESTORENAME =我/＆GT;
            ＆LT; / clientCertificate＆GT;
          ＆LT; / serviceCredentials＆GT;
        ＆LT; /行为＆GT;
      ＆LT; / serviceBehaviors＆GT;
      ＆LT; endpointBehaviors＆GT;
        ＆LT;行为NAME =wsHttpEnpointBinding＆GT;
          ＆LT; clientCredentials＆GT;
            ＆LT; clientCertificate findValue =TempCAx509FindType =FindBySubjectName的StoreLocation =LOCALMACHINESTORENAME =我/＆GT;
            ＆LT; serviceCertificate＆GT;
              ＆LT;认证certificateValidationMode =无/＆GT;
            ＆LT; / serviceCertificate＆GT;
          ＆LT; / clientCredentials＆GT;
        ＆LT; /行为＆GT;
      ＆LT; / endpointBehaviors＆GT;
    ＆LT; /行为＆GT;
    ＆LT;绑定＆GT;
      ＆LT;的wsHttpBinding＆GT;
        ＆LT;绑定名称=wsHttpEndpointBinding＆GT;
          ＆LT;安全模式=消息＆GT;
            ＆LT;消息clientCredentialType =证书/＆GT;
          ＆LT; /安全＆GT;
        ＆LT; /装订＆GT;
      ＆LT; /的wsHttpBinding＆GT;
    ＆LT; /绑定＆GT;
  ＆LT; /system.serviceModel>
 

我已经花了相当多的时间试图解决这一点，但我没有做任何真正的进步......

解决方案

这个问题似乎是调用应用程序的用户acount没有权限读取证书。

使用下面的命令授予权限的网络服务帐户

  WinHttpCertCfg.exe -g -c LOCAL_MACHINE \ MY -s Temp.cer -a网络服务
 

......，用固定的问题下面绑定

 ＆LT; system.serviceModel＆GT;
    ＆LT;服务＆GT;
      ＆LT;服务名称=Service.Service1behaviorConfiguration =wsHttpEnpointBinding＆GT;
        ＆LT;端点地址=HTTP：//本地主机：5372 / Service1.svc绑定=的wsHttpBinding
         bindingConfiguration =wsHttpEndpointBindingNAME =wsHttpEndpoint
         合同=Service.Contracts.IService1/＆GT;
      ＆LT; /服务＆GT;
    ＆LT; /服务＆GT;
    ＆LT;行为＆GT;
      ＆LT; serviceBehaviors＆GT;
        ＆LT;行为NAME =wsHttpEnpointBinding＆GT;
          ＆LT; serviceDebug includeExceptionDetailInFaults =真/＆GT;
          ＆LT; serviceMetadata httpGetEnabled =真/＆GT;
          ＆LT; serviceCredentials＆GT;
            ＆LT;！ - 在服务器上的证书存储路径 - ＆GT;
            ＆LT; serviceCertificate findValue =TempCAx509FindType =FindBySubjectName的StoreLocation =LOCALMACHINESTORENAME =我/＆GT;
            ＆LT; issuedTokenAuthentication allowUntrustedRsaIssuers =真/＆GT;
            ＆LT;！ - 证书存储路径中的客户端 - ＆GT;
            ＆LT; clientCertificate＆GT;
              ＆LT;证书findValue =TempCAx509FindType =FindBySubjectName的StoreLocation =LOCALMACHINESTORENAME =我/＆GT;
            ＆LT; / clientCertificate＆GT;
          ＆LT; / serviceCredentials＆GT;
        ＆LT; /行为＆GT;
      ＆LT; / serviceBehaviors＆GT;
      ＆LT; endpointBehaviors＆GT;
        ＆LT;行为NAME =wsHttpEnpointBinding＆GT;
          ＆LT; clientCredentials＆GT;
            ＆LT; clientCertificate findValue =TEMCAx509FindType =FindBySubjectName的StoreLocation =LOCALMACHINESTORENAME =我/＆GT;
            ＆LT; serviceCertificate＆GT;
              ＆LT;认证certificateValidationMode =无/＆GT;
            ＆LT; / serviceCertificate＆GT;
          ＆LT; / clientCredentials＆GT;
        ＆LT; /行为＆GT;
      ＆LT; / endpointBehaviors＆GT;
    ＆LT; /行为＆GT;
    ＆LT;绑定＆GT;
      ＆LT;的wsHttpBinding＆GT;
        ＆LT;绑定名称=wsHttpEndpointBinding＆GT;
          ＆LT;安全模式=消息＆GT;
            ＆LT;消息clientCredentialType =证书/＆GT;
          ＆LT; /安全＆GT;
        ＆LT; /装订＆GT;
      ＆LT; /的wsHttpBinding＆GT;
    ＆LT; /绑定＆GT;
  ＆LT; /system.serviceModel>
 

I am trying to create a WCF service that will use message mode security with a certificate. When I run the service code, both in IIS and cassini I get the following message

It is likely that certificate 'CN=TempCA' may not have a private key that is capable of key exchange or the process may not have access rights for the private key

I have created certificates using the following commands

makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer -sky Exchange -pe
makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr localmachine -ss My

The TempCA.cer has been imported into the "Trusted Root Certification Authorities\Certificates" and the SignedByCA.cer into the "Personal\Certificates"

I then ran the following command

pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer

and imported the TempCA.pfx into the "Personal\Certificates"

The service config file is as follows (Taken from an MSDN tutorial and modified for my project)

<system.serviceModel>
    <services>
      <service name="Service.Service1" behaviorConfiguration="wsHttpEnpointBinding">
        <endpoint address="http://localhost:5372/Service1.svc" binding="wsHttpBinding"
         bindingConfiguration="wsHttpEndpointBinding" name="wsHttpEndpoint"
         contract="Service.Contracts.IService1" />
      </service>      
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="wsHttpEnpointBinding">
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceMetadata httpGetEnabled="true" />
          <serviceCredentials>
            <!-- Certificate storage path on the server -->
            <serviceCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <issuedTokenAuthentication allowUntrustedRsaIssuers="true" />
            <!-- Certificate storage path in the client -->
            <clientCertificate>
              <certificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            </clientCertificate>            
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="wsHttpEnpointBinding">
          <clientCredentials>
            <clientCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            <serviceCertificate>
              <authentication certificateValidationMode="None" />
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndpointBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate"  />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

I have spent a considerable amount of time trying to resolve this but I'm not making any real progress...

解决方案

The problem seems to be the that the calling application user acount didn't have permission to read the certificate.

Using the following command to grant the permission to the Network services account

WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s Temp.cer -a "Network Services"

...and using the following bindings fixed the issue

<system.serviceModel>
    <services>
      <service name="Service.Service1" behaviorConfiguration="wsHttpEnpointBinding">
        <endpoint address="http://localhost:5372/Service1.svc" binding="wsHttpBinding"
         bindingConfiguration="wsHttpEndpointBinding" name="wsHttpEndpoint"
         contract="Service.Contracts.IService1" />
      </service>      
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="wsHttpEnpointBinding">
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceMetadata httpGetEnabled="true" />
          <serviceCredentials>
            <!-- Certificate storage path on the server -->
            <serviceCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <issuedTokenAuthentication allowUntrustedRsaIssuers="true" />
            <!-- Certificate storage path in the client -->
            <clientCertificate>
              <certificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            </clientCertificate>            
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="wsHttpEnpointBinding">
          <clientCredentials>
            <clientCertificate findValue="TemCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            <serviceCertificate>
              <authentication certificateValidationMode="None" />
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndpointBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate"  />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

这篇关于WCF邮件使用安全证书 - 的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！