使用证书的 WCF 消息安全性 -

【问题标题】:WCF Message security using certificates -使用证书的 WCF 消息安全性 -
【发布时间】:2011-02-16 19:07:27
【问题描述】:

我正在尝试创建一个 WCF 服务,该服务将使用带有证书的消息模式安全性。当我在 IIS 和 cassini 中运行服务代码时,我收到以下消息

很可能是证书 'CN=TempCA' 可能没有私钥 能够进行密钥交换或 进程可能没有访问权限 私钥

我使用以下命令创建了证书

makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer -sky Exchange -pe
makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr localmachine -ss My

TempCA.cer 已导入“Trusted Root Certification Authorities\Certificates”,SignedByCA.cer 已导入“Personal\Certificates”

然后我运行了以下命令

pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer

并将 TempCA.pfx 导入“Personal\Certificates”

服务配置文件如下(取自 MSDN 教程并为我的项目修改)

<system.serviceModel>
    <services>
      <service name="Service.Service1" behaviorConfiguration="wsHttpEnpointBinding">
        <endpoint address="http://localhost:5372/Service1.svc" binding="wsHttpBinding"
         bindingConfiguration="wsHttpEndpointBinding" name="wsHttpEndpoint"
         contract="Service.Contracts.IService1" />
      </service>      
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="wsHttpEnpointBinding">
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceMetadata httpGetEnabled="true" />
          <serviceCredentials>
            <!-- Certificate storage path on the server -->
            <serviceCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <issuedTokenAuthentication allowUntrustedRsaIssuers="true" />
            <!-- Certificate storage path in the client -->
            <clientCertificate>
              <certificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            </clientCertificate>            
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="wsHttpEnpointBinding">
          <clientCredentials>
            <clientCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            <serviceCertificate>
              <authentication certificateValidationMode="None" />
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndpointBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate"  />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

我花了相当多的时间试图解决这个问题,但我没有取得任何实际进展......

【问题讨论】:

    标签: .net wcf x509certificate


    【解决方案1】:

    问题似乎是调用应用程序用户帐户没有读取证书的权限。

    使用以下命令将权限授予网络服务帐户

    WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s Temp.cer -a "Network Services"

    ...并使用以下绑定解决了问题

    <system.serviceModel>
    <services>
      <service name="Service.Service1" behaviorConfiguration="wsHttpEnpointBinding">
        <endpoint address="http://localhost:5372/Service1.svc" binding="wsHttpBinding"
         bindingConfiguration="wsHttpEndpointBinding" name="wsHttpEndpoint"
         contract="Service.Contracts.IService1" />
      </service>      
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="wsHttpEnpointBinding">
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceMetadata httpGetEnabled="true" />
          <serviceCredentials>
            <!-- Certificate storage path on the server -->
            <serviceCertificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <issuedTokenAuthentication allowUntrustedRsaIssuers="true" />
            <!-- Certificate storage path in the client -->
            <clientCertificate>
              <certificate findValue="TempCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            </clientCertificate>            
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="wsHttpEnpointBinding">
          <clientCredentials>
            <clientCertificate findValue="TemCA" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My"/>
            <serviceCertificate>
              <authentication certificateValidationMode="None" />
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndpointBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate"  />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
  </system.serviceModel>

    【讨论】:

      猜你喜欢
      • 2012-01-02
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2011-12-09
      • 2016-08-14
      • 2010-12-06
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode