X509Certificate 实施最佳实践 [英] X509Certificate Implementation best practices

问题描述

首先，感谢所有那些努力帮助陌生人的耐心技术人员.

Firstly, Thanks to all those patient techies trying to help unknown people.

其次，我有一个 wcf 服务，它应该只由我们公司已知的几个客户端 (10) 使用.此 wcf 服务具有 x509certificateCN=ABCD".现在它希望依次从客户端接收证书以使用此服务.所以这里是设计问题

Secondly, I have a wcf service which should be consumed by only several clients (10) known to our company. This wcf service has the x509certificate "CN=ABCD". Now it expects to receive a certificate in turn from clients to consume this service. So here are the design questions

1. 我应该创建一个证书吗"CN=ABCD" ，然后右键单击它并导出为 pfx 文件和将它们分发给客户?
2. 有人说要在代码中验证有人说要在配置中进行验证更好吗?
3. 我如何知道哪个客户是调用，因为证书具有相同所有人的名字，如果我的公司分发它?
4. .cer 和有什么区别文件和 .pfx 文件?
5. 将证书传递给客户，我会同时提供 .cer和 .pfx 文件?
6. 我应该如何只撤销一个客户端是否过期?
7. 我的公司已有证书像 *.fdfd.org .我可以用它作为我的 X509Certificate 而不是生成一个?

很多问题！
但是由于很多挫折，我想征求开发人员的意见，因为我无法获得正确的信息.

Many questions!
But due to lot frustration, I wanted to have the opinion of developers out there because I couldn't get the right info.

推荐答案

• 否您必须拥有单独的服务证书，并且您应该为每个客户拥有一个证书.一旦您共享了您的服务的私钥，您的安全就会消失.
• 您可以将客户端证书的公钥安装到 Machine\Trusted 人(具有任何受信任证书的客户端都可以访问您的服务)，也可以使用自定义证书验证器(仅消息安全性 - 根据您的 上一个问题 您可能使用消息安全性)来真正仅验证这 10 个证书.
• 这只有在您为每个客户端创建单独的证书时才有可能.也可以将证书与支持的用户名和密码结合使用，但它需要非常高级的 WCF 配置，并且仍然在多个客户端之间共享单个证书是一个错误的决定.
• 证书只是一些信息的容器 - 非对称加密的密钥..cer 只包含可以自由分发的公钥 - 您可能必须在客户端之间分发服务证书的 .cer 文件..pfx 包含公钥和私钥，必须尽可能保护.一旦 .pfx 文件被破坏，证书就不再安全，必须更换.因此，您必须保留服务的 .pfx(安装在证书凭证库中)，并且每个客户端都必须保留他的 .pfx.
• 如果您为客户创建证书，您将至少将 .pfx 传递给他们.显然，一旦您通过不安全的电子邮件发送此类证书，就会严重损害安全性.
• 如果一个客户端过期，您将从受信任的证书中删除其证书.如果您拥有自己的证书颁发机构(如果您想为客户创建证书，您应该拥有该证书颁发机构)
• 如果您的服务位于 fdfd.org，您可能可以使用它，但仅限于该服务.
• NO You must have separate certificate for the service and you should have one certificate for each client. Once you share private key of your service your security has gone.
• You can either install public keys of client certificates to Machine\Trusted people (client with any trusted certificate will have access to your service) or you can use custom certificate validator (only message security - according to your previous question you probably use message security) to validate really only those 10 certificates.
• This is only possible if you create separate certificate for each client. It is also possible to combine certificate with supporting user name and password but it requires very advanced WCF configuration and still sharing single certificate among multiple clients is a bad decision.
• Certificate is just container for some information - keys for asymmetric encryption. .cer contains only public key which can be freely distributed - you will probably have to distribute .cer file of your service's certificate among clients. .pfx contains both public and private key and must be secured as much as possible. Once .pfx file is compromised the certificate is not secured any more and must be replaced. Because of that you must keep your service's .pfx (installed in certificate credential store) and each client must keep his .pfx.
• If you create certificate for clients you will pass at least .pfx to them. Obviously once you send such certificate by unsecured email you seriously hurt the security.
• If one client expires you will remove its certificate from trusted certificates. If you have your own certification authority (which you should have if you want to create certificates for clients)
• If your service sits on fdfd.org you can probably use it but only for the service.

这篇关于X509Certificate 实施最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！