以编程方式安装证书吊销列表 C# [英] Programmatically installing certificate revocation list C#

问题描述

我正在使用 C#/WCF.我有一个将由客户端调用的 Web 服务.这是服务定义:

I am using C#/WCF. I have a web service which shall be invoked by the client. This is the service definition:

<service behaviorConfiguration="WCFInterface.CommonBehavior" name="WCFInterface.Content">
  <endpoint address="" binding="ws2007HttpBinding" bindingConfiguration="wsHttpUserName"
 contract="ABB.fTunes.WCFInterface.IContent">
    <identity>
      <dns value="fTunesTestServer" />
    </identity>
  </endpoint>
  <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>

这是绑定:

<ws2007HttpBinding>
  <binding name="wsHttpUserName">
    <security mode="Message">
      <message clientCredentialType="UserName"/>
    </security>
  </binding>
</ws2007HttpBinding>

如果我理解正确，从服务器发送到客户端的消息是用证书加密的.目前我仍在使用开发人员证书.我在服务器上创建了一个根证书、一个证书吊销列表和一个密钥.

If I understand this correctly, the messages sent from server to client are encrypted with a certificate. Currently I am still working with developer certificates. I created a root certificate, a certificate revokation list and a key on the server.

我正在使用 Windows Installer 安装客户端，并且我有一个自定义安装操作来安装证书.

I am installing the client with Windows Installer and I have a custom install action to install the certificates.

以下代码展示了如何将证书添加到商店

The following code shows how the certificates are added to the store

Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream("ClientCertificates.MyRoot.cer");
byte[] buffer = new byte[((int)(manifestResourceStream.Length - 1L)) + 1];
manifestResourceStream.Read(buffer, 0, (int)manifestResourceStream.Length);
manifestResourceStream.Close();

var cert = new X509Certificate2(buffer);
var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();

/*
// The CRL is also needed, no idea why
manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream("ClientCertificates.MyRoot.crl");
buffer = new byte[((int)(manifestResourceStream.Length - 1L)) + 1];
manifestResourceStream.Read(buffer, 0, (int)manifestResourceStream.Length);
manifestResourceStream.Close();
cert = new X509Certificate2(buffer);
store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
*/

// This is the key 
manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream("ClientCertificates.MyTestServer.cer");
buffer = new byte[((int)(manifestResourceStream.Length - 1L)) + 1];
manifestResourceStream.Read(buffer, 0, (int)manifestResourceStream.Length);
manifestResourceStream.Close();

cert = new X509Certificate2(buffer);
store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();

我现在有两种行为:安装证书有效，但是当我调用 Web 服务时，我收到一个 SecurityNegotiationException.当我手动添加证书吊销列表时，与服务器的通信工作正常.当我尝试以编程方式执行此操作时(请参阅上面的代码)，它不起作用.我收到找不到请求的对象"异常.

I have now two behaviors: Installing the certificates work, but when I call the web service I get a SecurityNegotiationException. When I add the Certificate Revocation List manually, the communication with the server works. When I try to do it programmatically (see code above) it does not work. I get a "Could not find requested object" exception.

我尝试使用不同的商店，但没有成功.

I tried to use different stores but with no success.

我有两个问题:a) 为什么我需要客户端上的 CRL?b) 如果我需要它，我如何以编程方式安装它?我上面的错误在哪里?

I have two questions: a) Why do I need the CRL on the client? b) If I need it, how can I install it programmatically? Where is my mistake above?

感谢您的帮助，凯

推荐答案

通常，CRL 必须在线可用，并且可以从服务器证书中指定的吊销 URL 下载.我不知道是否有获取它的带外机制，但即使有，它也会有点违背目的(允许客户端发现服务器证书已被破坏/撤销).也就是说，除非您使用证书进行真正的相互身份验证并且您担心密钥被泄露(在这种情况下，请购买商业证书并让他们处理它)，否则 CRL 对于自签名证书来说确实有点过分了.

Generally, the CRL has to be available online and downloadable from the revocation URL specified in the server cert. I don't know if there's an out-of-band mechanism for getting it, but even if there was, it'd kinda defeat the purpose (allowing clients to discover that a server cert has been compromised/revoked). That said, a CRL is really overkill for self-signed certs unless you're using the cert for real mutual authentication and you're worried about the key being compromised (in which case, buy a commercial cert and let them deal with it).

如果您无法在没有吊销 URL 的情况下生成证书，我建议您完全禁用 CRL 的客户端检查，除非您确实需要它.您可以通过将以下内容添加到 webservice 客户端的 app.config 来完成此操作:

If you can't get a cert generated without a revocation URL, I'd recommend disabling the client check of the CRL altogether unless you really need it. You can do this by adding the following to the webservice client's app.config:

  <system.net>
    <settings>
      <servicePointManager checkCertificateRevocationList="false"/>
    </settings>
  </system.net>

如果您使用 WCF，则可能需要将它与 clientCredentials 端点行为连接起来，改为在 serviceCertificate->revocationMode:NoCheck 下.

If you're using WCF, you may need to wire it up with a clientCredentials endpointBehavior, under serviceCertificate->revocationMode:NoCheck instead.

这篇关于以编程方式安装证书吊销列表 C#的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！