Windows Identity Foundation WCF 服务证书
我最近使用 WIF 针对 STS 设置了 WCF 服务,我试图了解所需的证书及其影响,我有一个针对允许 HTTPS 通信的 IIS 的证书,但在 STS 配置中引用了另外两个证书。例如
<appSettings>
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value="CN=DefaultApplicationCertificate"/>
</appSettings>
在MSDN文档中(http://msdn.microsoft.com/en-us /library/ee748498.aspx)它指出
STS使用默认证书来签署它颁发的令牌。该证书名为“STSTestCert”,它会自动添加到您的证书存储中以供 STS 使用。证书文件存在于STS项目中。该文件的密码是“STSTest”。这不应该在生产练习中使用。您可以用任何其他证书替换默认证书
我的问题是签名证书和加密证书的用途是什么?对于面向公众的服务来说什么是合适的证书?我需要 3 个不同的吗?
I have recently setup a WCF service against an STS using WIF, I am trying to understand the certificates needed and what they affect, I have a certificate against IIS allowing HTTPS communication but in the STS configuration there is a reference to two more certificates. e.g.
<appSettings>
<add key="SigningCertificateName" value="CN=STSTestCert"/>
<add key="EncryptingCertificateName" value="CN=DefaultApplicationCertificate"/>
</appSettings>
In the MSDN documentation(http://msdn.microsoft.com/en-us/library/ee748498.aspx) it states
The STS uses a default certificate to sign the tokens it issues. This cert is named “STSTestCert” and it is added to your certificate store automatically for use by the STS. The certificate file is present in the STS project. The password for the file is “STSTest”. This should not be used in a production exercise. You can replace the default certificate with any other certificate
My question is what are the Signing Certificate and Encrypting Certificate used for and what would be suitable certificates for a public facing service? Do I need 3 different ones?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
WIF 构建的声明是通过代币传递的。
每个令牌都经过签名,以证明它来自预期的 STS。
AFAIK,没有办法删除令牌的签名组件(这是有道理的,否则任何第三方都可以生成它们并“假装”它们来自 STS)。
这些令牌也可以被加密。如果您跨 https 运行,则整个消息将使用 IIS 证书进行加密,并且令牌本身将使用 WIF 加密证书再次进行加密。令牌加密是可选的。当您使用 FedUtil 时,问题之一是“您想要令牌加密吗?”。如果您说“否”,则不会加密。如果您选择“是”,则会对其进行加密,然后系统会要求您提供证书。
如果需要,您可以使用相同的证书进行令牌加密和签名。从安全角度来看,使用两个是有意义的。
因此“最安全”的解决方案将使用三个证书。
您可以通过正常方式从受信任的颁发者处获取证书。
The claims that WIF is built around are delivered via tokens.
Each token is signed to prove that it came from the expected STS.
AFAIK, there is no way to remove the signed component of a token (which makes sense as otherwise any third party could generate them and "pretend" that they came from the STS).
These tokens can also be encrypted. If you were running across https, the whole message would be encrypted with the IIS certificate and the token would itself be encrypted again with the WIF encrypting certificate. The token encryption is optional. When you use FedUtil, one of the questions is "Do you want token encryption?". If you say "No", it is not encrypted. If you say "Yes", it is encrypted and you are then asked for the certificate.
If you wanted, you could use the same certificate for both token encryption and signing. From a security perspective, it makes sense to use two.
So the "most secure" solution would use three certificates.
You get the certificates in the normal manner from a trusted issuer.