如何配置 WCF 以通过 Internet 使用 x509 证书? [英] How can I configure WCF to use x509 certificates over the internet?

问题描述

我需要使用 x509 证书从富客户端通过 Internet 获得安全的消息级别身份验证到安全的 WCF Web 服务.

I need to use an x509 certificate to get secure message level authentication from a rich client via the internet to a secure WCF Web Service.

具体来说，我正在寻找一份关于设置、配置、编码和部署的工作分步指南，包括创建开发"证书、安装它以及获取用于生产的真实"证书.

Specifically, I am looking for a working step-by-step guide to setup, configuration, coding, and deployment, including creating a 'dev' certificate, installing it, and obtaining a 'real' certificate for production.

推荐答案

以下步骤是您入门的指南:

The following steps are a guide to get you started:

1) 首先，您需要一个根权限来生成您的客户端和服务器证书.您可以使用外部授权提供商(例如 Verisign)，也可以使用 Microsoft 证书服务器之类的工具生成自己的授权提供商.

1) Firstly, you need a Root Authority to generate your client and server certificates. You can either use an external Authority Provider (e.g. Verisign) or you can generate your own using something like Microsoft Certificate Server.

要生成开发根授权证书，您可以使用 Visual Studio 附带的makecert"工具，例如

To generate a development Root Authority certificate you can use the "makecert" tool that comes with Visual Studio, e.g.

makecert -n "CN=MyRootCA" -r -sv RootCA.pvk RootCA.cer

2) 然后您需要请求/生成您的客户端和服务器证书.这两种类型的证书都可以作为本地机器证书安装，并且都需要使用相同的根授权进行签名.您可以从 Microsoft 证书服务器的 Web 界面请求客户端证书，例如http://mycertserver/certsrv.

2) You then need to request/generate your client and server certificates. Both types of certificates can be installed as local machine certificates and both need to be signed using the same root authority. You can request client certificates from a Microsoft Certificate Server's web interface, e.g. http://mycertserver/certsrv.

要为每台机器生成开发客户端证书，您可以再次使用makecert".请注意，客户端证书使用在步骤 1 中创建的开发根授权证书进行签名.

To generate a development client certificate for each machine you can use "makecert" again. Note that the client certificates are signed with development Root Authority certificate created in step 1.

makecert -pe -n "CN=MyCert" -ss my -sky exchange -sk MyCert 
         -iv MyRootCA.pvk -ic MyRootCA.cer -sr localmachine MyCert.cer

这会将证书安装在运行命令的机器上，安装到本地机器存储中的个人证书文件夹中.

This will install the certificate on the machine on which the command is run, into the Personal certificates folder in the Local Machine store.

为了让服务器信任客户端证书，您需要在服务器的受信任根证书颁发机构存储中安装开发根颁发机构证书(使用 mmc 证书管理单元来执行此操作).客户端还应该以相同的方式安装根证书，以便他们信任自己的证书.

In order for the server to trust the client certificates you will need to install the development Root Authority certificate in the server's Trusted Root Certificate Authorities store (use the mmc Certificates snap-in to do this). The clients should also have the root certificate installed in the same way so that they trust their own certificates.

3) 将您的 WCF 服务配置为要求使用证书进行客户端身份验证(例如，通过 web.config).

3) Configure you WCF service to require client authentication using a certificate (e.g. via the web.config).

<services>
  <service
    name="TestService"
    behaviorConfiguration="wsHttpCertificateBehavior">
    <endpoint name="TestEndPoint"
      address=""
      binding="wsHttpBinding"
      bindingConfiguration="wsHttpEndpointBinding"
      contract="TestService.IMyContract">
      <identity>
        <dns value=""/>
      </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
  </service>
</services>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
      <security mode="Message">
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
  <behavior name="wsHttpCertificateBehavior">
    <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
    <serviceCredentials>
      <clientCertificate>
        <authentication 
          certificateValidationMode="PeerOrChainTrust" 
          revocationMode="NoCheck"/>
      </clientCertificate>
      <serverCertificate findValue="CN=MyCert"/>
    </serviceCredentials>
  </behavior>
</behaviors>

4) 现在配置调用者(例如通过 app.config).

4) Now configure the caller (e.g. via the app.config).

<client>
  <endpoint name="wsHttpBinding"
    address="https://localhost/TestService/TestService.svc"
    binding="wsHttpBinding"
    bindingConfiguration="wsHttpBinding"
    behaviorConfiguration="wsHttpCertificateBehavior"
    contract="TestService.IMyContract">
    <identity>
      <dns value="MyCert"/>
    </identity>
  </endpoint>
</client>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpBinding">
      <security mode="Message">
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
 <endpointBehaviors>
  <behavior name="wsHttpCertificateBehavior">
    <clientCredentials>
      <clientCertificate findValue="MyCert" storeLocation="LocalMachine"/>
      <serviceCertificate>
        <authentication 
          certificateValidationMode="PeerOrChainTrust" 
          revocationMode="NoCheck" 
          trustedStoreLocation="LocalMachine"/>
      </serviceCertificate>
    </clientCredentials>
  </behavior>
 </endpointBehaviors>
</behaviors>

这篇关于如何配置 WCF 以通过 Internet 使用 x509 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！