如何配置 WCF 以通过 Internet 使用 x509 证书?

发布于 2024-07-09 03:14:48 字数 130 浏览 7 评论 0原文

我需要使用 x509 证书通过互联网从富客户端到安全的 WCF Web 服务获得安全的消息级身份验证。

具体来说,我正在寻找有关设置、配置、编码和部署的工作分步指南,包括创建“开发”证书、安装它以及获取用于生产的“真实”证书。

I need to use an x509 certificate to get secure message level authentication from a rich client via the internet to a secure WCF Web Service.

Specifically, I am looking for a working step-by-step guide to setup, configuration, coding, and deployment, including creating a 'dev' certificate, installing it, and obtaining a 'real' certificate for production.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

带上头具痛哭 2024-07-16 03:14:48

以下步骤是您入门的指南:

1) 首先,您需要一个根权限来生成客户端和服务器证书。 您可以使用外部授权提供商(例如 Verisign),也可以使用 Microsoft 证书服务器等工具生成自己的授权提供商。

要生成开发根权限证书,您可以使用 Visual Studio 附带的“makecert”工具,例如

makecert -n "CN=MyRootCA" -r -sv RootCA.pvk RootCA.cer

2) 然后您需要请求/生成客户端和服务器证书。 两种类型的证书都可以作为本地计算机证书安装,并且都需要使用相同的根颁发机构进行签名。 您可以从 Microsoft 证书服务器的 Web 界面请求客户端证书,例如 http://mycertserver/certsrv

要为每台计算机生成开发客户端证书,您可以再次使用“makecert”。 请注意,客户端证书是使用步骤 1 中创建的开发根颁发机构证书进行签名的。

makecert -pe -n "CN=MyCert" -ss my -sky exchange -sk MyCert 
         -iv MyRootCA.pvk -ic MyRootCA.cer -sr localmachine MyCert.cer

这将在运行命令的计算机上将证书安装到本地计算机存储中的个人证书文件夹中。

为了使服务器信任客户端证书,您需要在服务器的受信任根证书颁发机构存储中安装开发根颁发机构证书(使用 mmc 证书管理单元来执行此操作)。 客户端还应该以相同的方式安装根证书,以便它们信任自己的证书。

3) 配置您的WCF 服务以要求使用证书进行客户端身份验证(例如通过web.config)。

<services>
  <service
    name="TestService"
    behaviorConfiguration="wsHttpCertificateBehavior">
    <endpoint name="TestEndPoint"
      address=""
      binding="wsHttpBinding"
      bindingConfiguration="wsHttpEndpointBinding"
      contract="TestService.IMyContract">
      <identity>
        <dns value=""/>
      </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
  </service>
</services>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
      <security mode="Message">
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
  <behavior name="wsHttpCertificateBehavior">
    <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
    <serviceCredentials>
      <clientCertificate>
        <authentication 
          certificateValidationMode="PeerOrChainTrust" 
          revocationMode="NoCheck"/>
      </clientCertificate>
      <serverCertificate findValue="CN=MyCert"/>
    </serviceCredentials>
  </behavior>
</behaviors>

4) 现在配置调用者(例如通过app.config)。

<client>
  <endpoint name="wsHttpBinding"
    address="https://localhost/TestService/TestService.svc"
    binding="wsHttpBinding"
    bindingConfiguration="wsHttpBinding"
    behaviorConfiguration="wsHttpCertificateBehavior"
    contract="TestService.IMyContract">
    <identity>
      <dns value="MyCert"/>
    </identity>
  </endpoint>
</client>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpBinding">
      <security mode="Message">
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
 <endpointBehaviors>
  <behavior name="wsHttpCertificateBehavior">
    <clientCredentials>
      <clientCertificate findValue="MyCert" storeLocation="LocalMachine"/>
      <serviceCertificate>
        <authentication 
          certificateValidationMode="PeerOrChainTrust" 
          revocationMode="NoCheck" 
          trustedStoreLocation="LocalMachine"/>
      </serviceCertificate>
    </clientCredentials>
  </behavior>
 </endpointBehaviors>
</behaviors>

The following steps are a guide to get you started:

1) Firstly, you need a Root Authority to generate your client and server certificates. You can either use an external Authority Provider (e.g. Verisign) or you can generate your own using something like Microsoft Certificate Server.

To generate a development Root Authority certificate you can use the "makecert" tool that comes with Visual Studio, e.g.

makecert -n "CN=MyRootCA" -r -sv RootCA.pvk RootCA.cer

2) You then need to request/generate your client and server certificates. Both types of certificates can be installed as local machine certificates and both need to be signed using the same root authority. You can request client certificates from a Microsoft Certificate Server's web interface, e.g. http://mycertserver/certsrv.

To generate a development client certificate for each machine you can use "makecert" again. Note that the client certificates are signed with development Root Authority certificate created in step 1.

makecert -pe -n "CN=MyCert" -ss my -sky exchange -sk MyCert 
         -iv MyRootCA.pvk -ic MyRootCA.cer -sr localmachine MyCert.cer

This will install the certificate on the machine on which the command is run, into the Personal certificates folder in the Local Machine store.

In order for the server to trust the client certificates you will need to install the development Root Authority certificate in the server's Trusted Root Certificate Authorities store (use the mmc Certificates snap-in to do this). The clients should also have the root certificate installed in the same way so that they trust their own certificates.

3) Configure you WCF service to require client authentication using a certificate (e.g. via the web.config).

<services>
  <service
    name="TestService"
    behaviorConfiguration="wsHttpCertificateBehavior">
    <endpoint name="TestEndPoint"
      address=""
      binding="wsHttpBinding"
      bindingConfiguration="wsHttpEndpointBinding"
      contract="TestService.IMyContract">
      <identity>
        <dns value=""/>
      </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
  </service>
</services>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
      <security mode="Message">
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
  <behavior name="wsHttpCertificateBehavior">
    <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
    <serviceCredentials>
      <clientCertificate>
        <authentication 
          certificateValidationMode="PeerOrChainTrust" 
          revocationMode="NoCheck"/>
      </clientCertificate>
      <serverCertificate findValue="CN=MyCert"/>
    </serviceCredentials>
  </behavior>
</behaviors>

4) Now configure the caller (e.g. via the app.config).

<client>
  <endpoint name="wsHttpBinding"
    address="https://localhost/TestService/TestService.svc"
    binding="wsHttpBinding"
    bindingConfiguration="wsHttpBinding"
    behaviorConfiguration="wsHttpCertificateBehavior"
    contract="TestService.IMyContract">
    <identity>
      <dns value="MyCert"/>
    </identity>
  </endpoint>
</client>

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpBinding">
      <security mode="Message">
        <message clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

<behaviors>
 <endpointBehaviors>
  <behavior name="wsHttpCertificateBehavior">
    <clientCredentials>
      <clientCertificate findValue="MyCert" storeLocation="LocalMachine"/>
      <serviceCertificate>
        <authentication 
          certificateValidationMode="PeerOrChainTrust" 
          revocationMode="NoCheck" 
          trustedStoreLocation="LocalMachine"/>
      </serviceCertificate>
    </clientCredentials>
  </behavior>
 </endpointBehaviors>
</behaviors>
关于从前 2024-07-16 03:14:48

我建议阅读 Microsoft 的 WCF 安全指南,

该指南涉及这种情况以及许多其他情况

http:// www.codeplex.com/WCFSecurityGuide/

编辑:现在位于 https://archive.codeplex .com/?p=wcfsecurityguide

I'd recommend reading the WCF Security guidance from Microsoft

This deals with this scenario as well as many others

http://www.codeplex.com/WCFSecurityGuide/

edit: now at https://archive.codeplex.com/?p=wcfsecurityguide

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文