WCF X509Certificates证书认证

1 证书有两种作用,一种是SSL传输用,一种作为公钥私钥容器(非对称加密用)。

2,WCF安全分传输安全和消息安全。消息安全一种模式为Certificate。 

<system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>      
    </bindings>
    <services>
      <service name="Test.Contract">
          <endpoint  address="Wshttp" binding="wsHttpBinding"
                   bindingConfiguration="wSHttpBinding"  name="wsHttpEndpoint" contract="Test.IContract">          
          <identity>
        <!--<dns value="localhost.com" />-->
      </identity>            
      </endpoint>                
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials>
            <serviceCertificate storeLocation="CurrentUser" findValue="CN=TesteCert" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>

 客户端 配置  

<system.serviceModel>
      <behaviors>
        <endpointBehaviors>
          <behavior>
            <clientCredentials>
              <serviceCertificate>
                <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" revocationMode="NoCheck"/>
              </serviceCertificate>
              <clientCertificate  storeLocation="CurrentUser" findValue="CN=TesTCert"/>
            </clientCredentials>
            
          </behavior>
        </endpointBehaviors>
      </behaviors>
      
        <bindings>
            <wsHttpBinding>
                <binding name="wsHttpEndpoint">
                    <security>
                        <message clientCredentialType="Certificate" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://localhost/test.svc"
                binding="wsHttpBinding" bindingConfiguration="sHttpEndpoint"
                contract="Test.IContract" name=“wsHttpEndpoint">
                <identity>
                    <certificate encodedValue="AwnvvqieXuGbI1rIMwGXUhxNdtUJlyKIgJdRI4xWlYEUU5vTXso/Xxpzu25EkVjslUj5bbY9VwhoFN5CCDINU7xukkxG0bErweXIJPW7Oo8LAQ3OduSD0r+2INkoziiLRxYoVcAgt8+9dLTfR+5QLrFrlxnp//eDiXY=" />
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>

 

注意,1 :测试证书一定要是CA认证的,而能是self-sign的。 如何创建CA证书,可以参见

http://msdn.microsoft.com/en-us/library/ff648360.aspx 

 (Steps 7,

makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr CurrentUser -ss my -sky signature -pe tempCert.cer
应该改为
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr CurrentUser -ss my -sky exchange -pe tempCert.cer

2:encodedValue可以通过wsdl获取,或者导出证书base604版本获取。

3:证书要复制到证书管理mmc里的”Trustd People“。

 

posted @ 2014-01-09 12:37  张江节度使  阅读(588)  评论(0编辑  收藏  举报