X509证书实施最佳实践

发布于 2024-11-06 01:41:23 字数 539 浏览 6 评论 0原文

首先,感谢所有耐心的技术人员试图帮助未知的人。

其次,我有一个 wcf 服务,该服务只能由我们公司已知的几个客户 (10) 使用。此 wcf 服务具有 x509 证书“CN=ABCD”。现在它期望依次从客户端接收证书来使用该服务。这是设计问题

  1. 我应该创建一个证书吗 "CN=ABCD" ,然后右键单击它 并导出为 pfx 文件 将它们分发给客户?
  2. 有人说要在代码中验证 有人说要在配置中验证 更好吗?
  3. 我怎么知道哪个客户是 由于证书具有相同的调用 如果我的公司是所有人的名字 分发它吗?
  4. .cer 和有什么区别 文件和.pfx 文件?
  5. 当将证书传递给 客户,我会同时提供 .cer 和 .pfx 文件?
  6. 我该如何撤销仅一项 客户如果过期了?
  7. 我公司已经有证书了 像 *.fdfd.org 。我可以用这个作为 我的 X509Certificate 而不是 生成一个?

很多问题!
但是由于很多挫败感,我想征求开发人员的意见,因为我无法获得正确的信息。

Firstly, Thanks to all those patient techies trying to help unknown people.

Secondly, I have a wcf service which should be consumed by only several clients (10) known to our company. This wcf service has the x509certificate "CN=ABCD". Now it expects to receive a certificate in turn from clients to consume this service. So here are the design questions

  1. Should I create one certificate
    "CN=ABCD" , then right click on it
    and export as pfx files and
    distribute them to Clients?
  2. Some say to validate in code and
    some say to validate in config which
    is better?
  3. How should I know which client is
    calling as the certificate has same
    name for all if my company
    distributes it?
  4. what is the difference between .cer
    file and .pfx file?
  5. When passing the certificate to
    clients, will I be giving both .cer
    and .pfx files?
  6. How should I be revocing only one
    client if it expires?
  7. My comapny already has a certificate
    like *.fdfd.org . Can I use this as
    my X509Certificate instead of
    generating one?

Many questions!
But due to lot frustration, I wanted to have the opinion of developers out there because I couldn't get the right info.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

冬天旳寂寞 2024-11-13 01:41:23
  • 必须拥有单独的服务证书,并且您应该为每个客户拥有一个证书。一旦您共享服务的私钥,您的安全性就消失了。
  • 您可以将客户端证书的公钥安装到机器\受信任的人员(具有任何受信任证书的客户端都可以访问您的服务),或者您可以使用自定义证书验证器(仅消息安全性 - 根据您的 上一个问题(您可能使用消息安全)实际上只验证这 10 个证书。
  • 仅当您为每个客户端创建单独的证书时,这才可能实现。也可以将证书与支持的用户名和密码结合起来,但这需要非常高级的 WCF 配置,并且仍然在多个客户端之间共享单个证书是一个糟糕的决定。
  • 证书只是一些信息的容器——非对称加密的密钥。 .cer 仅包含可以自由分发的公钥 - 您可能必须在客户端之间分发服务证书的 .cer 文件。 .pfx 包含公钥和私钥,必须尽可能确保安全。一旦 .pfx 文件遭到破坏,证书就不再受到保护,必须更换。因此,您必须保留服务的 .pfx(安装在证书凭证存储中),并且每个客户端都必须保留他的 .pfx。
  • 如果您为客户端创建证书,您将至少传递 .pfx 给他们。显然,一旦您通过不安全的电子邮件发送此类证书,您就会严重损害安全性。
  • 如果一个客户端过期,您将从受信任的证书中删除其证书。如果您有自己的证书颁发机构(如果您想为客户端创建证书,则应该拥有该证书颁发机构)
  • 如果您的服务位于 fdfd.org 上,您可能可以使用它,但仅限于该服务。
  • NO You must have separate certificate for the service and you should have one certificate for each client. Once you share private key of your service your security has gone.
  • You can either install public keys of client certificates to Machine\Trusted people (client with any trusted certificate will have access to your service) or you can use custom certificate validator (only message security - according to your previous question you probably use message security) to validate really only those 10 certificates.
  • This is only possible if you create separate certificate for each client. It is also possible to combine certificate with supporting user name and password but it requires very advanced WCF configuration and still sharing single certificate among multiple clients is a bad decision.
  • Certificate is just container for some information - keys for asymmetric encryption. .cer contains only public key which can be freely distributed - you will probably have to distribute .cer file of your service's certificate among clients. .pfx contains both public and private key and must be secured as much as possible. Once .pfx file is compromised the certificate is not secured any more and must be replaced. Because of that you must keep your service's .pfx (installed in certificate credential store) and each client must keep his .pfx.
  • If you create certificate for clients you will pass at least .pfx to them. Obviously once you send such certificate by unsecured email you seriously hurt the security.
  • If one client expires you will remove its certificate from trusted certificates. If you have your own certification authority (which you should have if you want to create certificates for clients)
  • If your service sits on fdfd.org you can probably use it but only for the service.
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文