VS2010 中的 C#，使用 WCF、分层证书和 IIS6

发布于 2024-09-26 13:29:30 字数 1133 浏览 4 评论 0原文

我们在使用 VS 2010、C# 和 WCF 开发的应用程序中投入了大量精力。我们使用Transport作为安全模式，并在TransportSecurity Properties中设置为None和None。

我们在 IIS6 中托管该服务。经过大量工作后，我们设法使用 https 使其工作。我们使用的证书是自己创建的证书，是使用 selfssl.exe 工具创建的。创建证书并将其存储在“受信任的证书”列表中后，我们将其设置为我们站点的 IIS 中的服务器证书，并使用 443 端口在证书指纹和本地主机地址之间进行“绑定” httpcfg 工具。

好吧，我们还使用了不建议用于生产的著名代码段（我们知道这一点），它可以验证不是由有效证书颁发机构颁发的证书。这段代码我们取自MSDN WCF Hands On Lab。在这段代码中，我们为其提供证书的 CN=NAME，它就可以工作了。

好的，我们终于开始工作了。这一切都在发展中。现在我们正处于测试阶段，他们同意使用启用证书的代码片段。问题是，我们需要使用的证书，在IIS中设置它并设置为使用著名的代码段后，它不起作用。

我们得到的错误是这个（仅显示错误的第一部分，而不是堆栈跟踪）：

System.ServiceModel.Security.SecurityNegotiationException：无法为具有权限“172.30.224.46”的 SSL/TLS 安全通道建立信任关系。 ---> System.Net.WebException：底层连接已关闭：无法建立 SSL/TLS 安全通道的信任关系。 ---> System.Security.Authentication.AuthenticationException：根据验证过程，远程证书无效。

新证书是由他们自己的证书颁发机构颁发的，与我们自己生成的证书相比有一些差异，例如“使用”属性不同，或者例如我们的证书有“增强使用”属性而他们没有't。

我们在证书中注意到的另一个巨大区别是，它们是证书层次结构的一部分，其中有受信任的根证书，然后是中间证书颁发机构，而服务器中使用的证书位于该中间证书之下。

是否需要特殊配置来支持属于层次结构一部分的此类证书？对此你们能告诉我们什么吗？ ....我们需要一些帮助：S

我们还进行了创建自签名证书的测试以及在其环境中设置它所需的所有步骤，并且应用程序可以正常工作。

感谢您的帮助和关注，

安德烈·冈萨雷斯

原文

We've been working a lot in an application developed in VS 2010, C#, and WCF. We use Transport as the security mode, and in the TransportSecurity Properties set to None and None.

We are hosting the service in IIS6. After working a lot we managed to make it work using https. The Certificate we used was a self created one, created with the selfssl.exe tool. After creating the Certificate and storing it in the "Trusted Certificates" list, we set it as the Server Certificate in IIS for our Site, and also do the "binding" between the Certificate Thumbprint and the localhost address with the 443 port, using the httpcfg tool.

Well, we also use the famous piece of code not recommended for production (we are aware of that) that enables the validation of a Certificate that is not issued by a valid Certification Authority. This piece of code we took it from the MSDN WCF Hands On Lab. In this piece of code we give it the CN=NAME of the certificate and it works.

Ok, we finally got it to work. This was all in development. Now we are in the testing stage and they agreed to use the piece of code that enables the certificate. The problem is that the Certificate that we need to use, after setting it in the IIS and setting it to use the famous piece of code, it doesn't work.

The error we get is this one (only showing the first part of the error and not the stack trace):

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority '172.30.224.46'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

The new Certificate is issued by their own Certification Authority, and it has several differences in comparison with our Self-Generated one, for example the "Usage" properties are different, or for example our Certificate has a "Enhanced Usage" property and theirs don't.

The other great difference we notice in the Certificate is that theirs is part of a hierarchy of Certificates, where they have a Trusted Root Certificate, then an Intermediate Certification Authoity and the Certificate to use in the Server is under that Intermediate one.

Is a special configuration needed to support this kind of certificates that are part of a hierachy? What can you guys tell us about this? .... we need some help :S

We also made a test creating a Self-Signed Certificate and all the steps needed to set it up in their environment, and the application works.

Thanks for your help and attention,

Andrey Gonzalez

分享到QQ

分享到微博