具有 OpenSSL 证书的 WCF 服务
我已经让我的 WCF Web 服务使用 makecert 生成的基本自签名证书运行(使用有关该主题的许多在线教程中的一些),但发现在生成 makecert 似乎无法处理的证书时我们需要某些功能。因此,我尝试使用 OpenSSL 创建我的证书,并使用我们自己的 CA(也是使用 OpenSSL 生成的)对它们进行签名。我似乎正在很好地创建和注册证书,但是当我尝试查询 Web 服务时,我得到以下信息:
证书“[证书详细信息]”必须具有私钥。该进程必须具有私钥的访问权限。
尽管我可以尝试,但我似乎无法让系统识别我认为的私钥(也许我完全错了,我应该看看完全在另一个文件...)任何人都可以提供一些关于我可能出错的地方的明智建议吗?
我像这样生成证书:
# Generate key and certificate request
openssl req -new -newkey rsa:1024 -nodes -keyout MyCompany.key -out MyCompany.csr
# Generate certificate from certificate request
openssl ca -batch -in MyCompany.csr -out MyCompany.cert
然后我可以向计算机证书存储区注册“Mycompany.cert”(在这种情况下,服务器和客户端都在本地主机上运行),但是 MyCompany.key (我认为是私钥,是吗?)不会导入,总是引用未知的文件格式。注册是通过“mmc”实用程序和证书管理单元完成的。
然后,在客户端和服务器的 Web.Config 文件中,我将以前的(工作)证书名称替换为新证书的名称:
<!-- Client Web.config -->
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</serviceCertificate>
<clientCertificate findValue="MyCompany" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</clientCredentials>
<!-- Server Web.config -->
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</clientCertificate>
<serviceCertificate findValue="MyCompany" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</serviceCredentials>
这当然会产生我之前列出的错误。我知道它正在找到证书,因为它在错误中显示的详细信息都是正确的,但我显然遗漏了一些东西。那么,我还需要做什么才能让 WCF 使用我的 OpenSSL 证书呢?
如果我的问题看起来很明显,或者如果我遗漏了一些关键信息,我深表歉意,但我对证书/SSL 场景相当陌生,我已经拥有的很多东西都是我在黑暗中摸索的。我将非常感谢任何能够启发我的人!
I've gotten my WCF webservice running with basic self-signed certificates generated by makecert (using some of the many online tutorials on the subject) but have found that there are certain capabilities that we require when generating certificates that makecert does not seem to handle. As such I'm trying to create my certificates using OpenSSL signing them with our own CA (also generated with OpenSSL). I seem to be creating and registering the certificate fine, but when I attempt to query the webservice I get the following:
The certificate '[Cert Details]' must have a private key. The process must have access rights for the private key.
Try though I might, I can't seem to get the system to recognize what I thought was the private key (maybe I'm totally wrong and I should be looking at another file entirely...) Can anyone offer some sage advice as to where I may be going wrong?
I'm generating the certificate like so:
# Generate key and certificate request
openssl req -new -newkey rsa:1024 -nodes -keyout MyCompany.key -out MyCompany.csr
# Generate certificate from certificate request
openssl ca -batch -in MyCompany.csr -out MyCompany.cert
I can then register "Mycompany.cert" with the machines certificate store (in this case both server and client are running on localhost), but MyCompany.key (which I assume is the private key, yes?) will not import, always citing an unknown file format. Registration is being done through the "mmc" utility with the certificate snap-in.
In my Web.Config files for my client and server I then swap out the previous (working) certificate names with the name for my new certificate:
<!-- Client Web.config -->
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</serviceCertificate>
<clientCertificate findValue="MyCompany" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</clientCredentials>
<!-- Server Web.config -->
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</clientCertificate>
<serviceCertificate findValue="MyCompany" storeLocation="CurrentUser" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</serviceCredentials>
This, of course, yields the error I listed earlier. I know it's finding the certificate because the details it displays in the error are all correct, but I'm obviously missing something. So what more do I need to do to get WCF to work with my OpenSSL certificates?
I apologize if my question seems obvious, or if I'm leaving out some critical piece of information, but I'm fairly new to the certificate/SSL scene and so much of what I already have is me groping around in the dark. I'd be very appreciative of anyone who could enlighten me!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Windows 不理解 OpenSSL 的 PEM 密钥格式。生成密钥对后,您需要将它们填充为 PKCS12 (.pfx) 格式,以便能够导入整个密钥对。类似于:
然后像以前一样使用证书管理单元导入 .pfx。系统应该提示您输入在导出过程中提供的密钥密码,然后当您查看证书时,您应该会看到小钥匙图标,上面写着“您有一个与此证书对应的私钥”。
Windows doesn't understand OpenSSL's PEM key format. After generating your key pair, you'll need to cram them into a PKCS12 (.pfx) format to be able to import the whole key pair. Something like:
Then import the .pfx using the Certificates snap-in as before. You should be prompted for the key password you supplied during the export, and then you should see the little key icon when you view the cert that says "You have a private key corresponding to this certificate".