将在Windows应用商店应用始终不允许即使明确信任自签名的证书？ [英] Will a Windows Store app always disallow a self-signed certificate even if explicitly trusted?

问题描述

我见过两个<一个href=\"http://stackoverflow.com/questions/14374430/windows-store-app-connect-to-https-with-an-self-signed-ssl-certificate\">this和<一个href=\"http://stackoverflow.com/questions/13119649/how-to-trust-a-self-signed-certificate-in-a-windows-store-app\">this - 同样的问题，不同的问题。

I've seen both this and this — same problem, different question.

我想我的Windows 8.1商店应用连接到一个ASP.NET Web API网络服务，使用自签名证书保证通过HTTPS。这是证明一个概念的应用程序，将结束针对＆lt; 5不同的机器上，看到仅在内部，所以我打算只安装证书上的每个目标机器为可信。

I'm trying to connect my Windows 8.1 Store app to an ASP.NET Web API web service, secured over HTTPS using a self-signed certificate. It's a proof-of-concept application that will end up on < 5 different machines and seen only internally, so I was planning to just install the certificate as trusted on each of the target machines.

当我尝试这对我的开发设置，既HttpClient的API的调用失败的服务时建立的信任关系。

When I try this on my development setup, both HttpClient APIs fail to establish the trust relationship when calling the service.

• Windows.Web.Http.HttpClient例外：证书颁发机构是无效或不正确


• System.Net.Http.HttpClient例外：远程证书按验证程序是无效的

我的自签名证书（公钥只.CER版本）同时安装在用户和本地计算机在客户端上受信任的根证书颁发机构。我真的很惊讶，这是不够的，得到的WinRT信任它。是否有什么我失踪，或者是有只是没有办法建立一个自签名的SSL证书，这将使HttpClient的快乐的信任关系？

My self-signed certificate (public-key-only .cer version) is installed in both the "User" and "Local Machine" Trusted Root Certification Authorities on the client. I'm really surprised that this isn't enough to get WinRT to trust it. Is there something I'm missing, or is there just no way to set up the trust relationship for a self-signed SSL certificate that will make HttpClient happy?

这是我的设置方式：

• 的ASP.NET Web API


• 在Azure的模拟器中运行Azure的Web角色


• 证书颁发者：127.0.0.1


• 证书主题：127.0.0.1


• 证书键：2048位


• 8.1的Windows Store应用程序


• 证书安装在用户\\受信任的根证书颁发机构（只有公钥.cer文件）


• 证书安装在本地计算机（只有公钥.cer文件）\\受信任的根证书颁发机构


• 证书（仅公钥.cer文件）添加到Windows商店应用清单下的CA

我不要求的解决方法，配置的HttpClient接受一般的自签名证书或无效的证书 - 我只想用配置这一个信任关系。这可能吗？

I am not asking for a workaround to configure HttpClient to accept self-signed or invalid certificates in general — I just want to configure a trust relationship with THIS one. Is this possible?

推荐答案

这件作品我失踪原来是该证书是不是在IIS服务器证书的我的本地计算机上的名单！

The piece I was missing turned out to be that the certificate wasn't in the list of of IIS Server Certificates on my local machine!

打开IIS管理器，然后检查了服务器证书一节，我没有找到一个127.0.0.1 SSL证书已经在Azure仿真器设置：

Opening IIS Manager and checking out the Server Certificates section, I did find a 127.0.0.1 SSL certificate already set up by the Azure emulator:

• CN = 127.0.0.1


• O =测试用


• OU = Windows Azure的DevFabric

不过，我自己的自签名的证书，我的IIS之外进行的，也与CN = 127.0.0.1，是不是在列表中。我导入它，现在我的Windows商店应用的HttpClient的连接愉快（证书警告在Chrome和IE走的！）

However, my own self-signed certificate that I made outside of IIS, also with CN=127.0.0.1, was not in the list. I imported it, and now my Windows Store app's HttpClient connects happily (certificate warnings went away in Chrome and IE as well!)

如果任何人都可以坚定对这个技术细节，请评论 - 此修复程序感觉有点不可思议，我不知道我能pcisely查明$ P $为什么这个工作。可能在这两个证书为127.0.0.1的我而言有些混乱，即使指纹我在Azure项目已经配置了总是一个我正打算使用？

If anyone can firm up the technical details on this, please comment — this fix feels a bit magical and I'm not sure I can pinpoint precisely why this worked. Possibly some confusion on my part between the two certs for 127.0.0.1, even though the thumbprint I had configured in my Azure project was always the one I was intending to use?

这篇关于将在Windows应用商店应用始终不允许即使明确信任自签名的证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！