我有一个来自第三方的自签名证书 (.cer) 文件。我想在代码中使用该证书来连接到他们的 Web 服务(通过 HTTPS),而无需将其安装在 Windows 中的证书存储中。具体来说,这样团队中的所有其他开发人员就不必在本地安装此证书才能使连接为他们工作。
有没有办法在代码中做到这一点?它可以使用老式的 webservice-client 代码(使用 wsdl.exe 或 VS 的 Add Web Reference)或 WCF 客户端代码(使用 svcutil.exe 或 VS 的 Add Service Reference) - 我们还没有确定我们想要走哪条路然而。
我已经尝试过:
proxy.ClientCertificates.Add(X509Certificate.CreateFromCertFile(@"d:\temp\mycert.cer"));
使用老式的 Web 服务代码,没有运气 - 它仍然失败,并显示 Could not build trust relationship for the SSL/TLS secure Channel. ,直到我实际在证书存储中安装证书。同样的事情:
<identity>
<certificate encodedValue="the base64 encoded contents of the file" />
</identity>
在 app.config 的端点中使用 WCF 客户端技术。
谢谢
I have a self-signed certificate (.cer) file from a third party. I'd like to use that certificate in code to connect to their webservice (over HTTPS), without installing it in my cert store in Windows. Specifically this is so all the other developers on the team won't have to install this cert locally in order for the connection to work for them.
Is there a way to do this in code? It can use either old-fashioned webservice-client code (using wsdl.exe or VS's Add Web Reference) or WCF client code (using svcutil.exe or VS's Add Service Reference) - we haven't nailed down which way we want to go yet.
I've tried:
proxy.ClientCertificates.Add(X509Certificate.CreateFromCertFile(@"d:\temp\mycert.cer"));
with old-school webservice code, no luck - it still fails with Could not establish trust relationship for the SSL/TLS secure channel. until I actually install the cert in the cert store. Same thing for:
<identity>
<certificate encodedValue="the base64 encoded contents of the file" />
</identity>
in the endpoint in app.config using the WCF client techology.
Thanks
发布评论
评论(2)
您需要证书的原因是 HTTPS。 Web 服务通过传输安全 (HTTPS) 进行保护,其证书不受您的系统信任。要信任证书,常见的方法是将证书安装到证书存储中。这一切都不是 .NET 功能 - 它是 .NET 职责之外的 Windows 功能。
为了信任任意 SSL 证书,.NET 提供了回调方法,您可以在其中编写自己的代码来验证证书:
ServicePointManager.ServerCertificateValidationCallback。如果您只是从回调中返回 true,您将信任每个证书,但这仅用于开发和测试!部署到生产应用程序后,应使用证书存储中的证书或使用回调中定义的特定验证(不推荐)。The reason why you need the certificate is HTTPS. The web service is secured by transport security (HTTPS) with certificate not trusted by your system. To trust the certificate the common approach is installing the certificate to certification store. This all is not .NET feature - it is Windows feature outside of .NET responsibility.
To trust arbitrary SSL crtificate .NET offers callback method where you can make your own code used to validate certificate:
ServicePointManager.ServerCertificateValidationCallback. If you just return true from the callback you will trust every certificate but that is only for development and testing! Once deployed to production application should use certificate from certification store or use specific validation defined in the callback (not recommended)..NET 无法/不会处理明文文件中的证书+密钥组合(在本例中您需要该组合)。我还没有找到一种方法来构建它;它完全不会读取证书的明文密钥。
但是,即使容器没有密码,它也可以与 P12/PFX 容器一起使用。您甚至可以将其存储为编码字符串并通过此构造函数重新构造它:http:// /msdn.microsoft.com/en-us/library/ms148418.aspx
.NET can't/won't handle a cert+key combination (which you need in this case) from a plaintext file. I haven't found a way to construct one; it flat-out will not read a plaintext key for a cert.
It will, however, work with a P12/PFX container even if the container doesn't have a password. You can even store this as an encoded string and reconstitute it via this constructor: http://msdn.microsoft.com/en-us/library/ms148418.aspx