【发布时间】:2014-08-01 13:23:33
【问题描述】:
我正在尝试使用 IIS 生成的自签名证书从 WinForms 客户端连接到 WCF 服务,但无论我做什么,我总是得到“无法为 SSL/TLS 安全通道建立信任关系权威……”。
我的 Web.config 如下所示:
...
<binding name="BasicHttpBinding_TransportCertificate">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
...
<endpoint address="transportCertificate" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_TransportCertificate"
name="TransportCertificateEndpoint" contract="MyService"/>
我的客户端代码如下所示:
private void Ping(string endpointAddress)
{
var binding = new BasicHttpContextBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var service = new CMServiceReference.CMServiceClient(binding,
new EndpointAddress(string.Format("{0}/{1}", endpointAddress, "transportCertificate")));
service.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName,
"server.domain.com");
service.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.PeerTrust;
service.Ping();
}
设置已安装在客户端计算机上的证书似乎工作得很好,但在调用 service.Ping() 时我仍然总是遇到同样的错误。我玩过 CertificateValidationMode 选项,但似乎没有任何区别。
我有什么明显的遗漏吗?
解决问题后的编辑
事实证明,自签名证书一直在客户端的错误存储中。它需要在本地机器/受信任的根证书颁发机构中。之后,无需在 WCF 属性上指定“证书”即可正常工作。
将证书放在正确的位置后,我只是将我的 Web.config 更新为如下所示:
...
<binding name="BasicHttpBinding_TransportCertificate">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
...
<endpoint address="transportCertificate" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_TransportCertificate"
name="TransportCertificateEndpoint" contract="MyService"/>
和我的客户代码喜欢这样:
private void Ping(string endpointAddress)
{
var binding = new BasicHttpContextBinding();
binding.Security.Mode = BasicHttpSecurityMode.Transport;
var service = new CMServiceReference.CMServiceClient(binding,
new EndpointAddress(string.Format("{0}/{1}", endpointAddress, "transportCertificate")));
service.Ping();
}
【问题讨论】:
-
+1 表示 not 询问如何避免验证。