WCF之使用证书建立消息级别的安全

makecert.exe -sr CurrentUser -ss My -n CN=clientcert -sky exchange -sk - pe  建立客户端证书

makecert.exe -sr LocalMachine -ss My -n CN=servercert -sky exchange -sk –pe   建立服务端证书

将客户端证书从Personal拷贝到客户端机器的Current User下的Trusted People下.以及服务端机器的LocalMachine下的Trusted People下.

将服务端证书从Personal拷贝到服务端机器的LocalMachine下的Trusted People下.以及客户端机器的CurrentUser下的Personal 和Trusted People 下

证书从一台机拷到另一台机可以通过导出*.cer的证书文件,再在目标机器上导入的方式.

 

通过配置和编程方式可创建基于消息级的安全,如下配置节所示:

Web.Config:

<configuration>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name ="serviceBehavior">
          <serviceMetadata httpGetEnabled ="true"/>
          <serviceCredentials>              服务器端证书
            <serviceCertificate findValue="servercert" storeLocation ="LocalMachine" storeName ="My" x509FindType ="FindBySubjectName"/>
            <clientCertificate >
              <authentication certificateValidationMode="PeerOrChainTrust"/>
            </clientCertificate>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name ="WCFSecurityServer.CalcImpl"  behaviorConfiguration ="serviceBehavior">
        <host>
          <baseAddresses>
            <add baseAddress ="http://localhost:8080/WCFSecurity/service" />
          </baseAddresses>
        </host>
        <endpoint bindingConfiguration="serverBinding" binding ="basicHttpBinding" address ="" contract="WCFSecurityServer.ICalc" >
          <identity>                       服务器端证书
            <certificateReference findValue="servercert" storeLocation ="LocalMachine" storeName ="My" x509FindType ="FindBySubjectName"/>
          </identity>
        </endpoint>
      </service>
    </services>
    <bindings>
      <basicHttpBinding>
        <binding name ="serverBinding" >
          <security mode ="Message">       消息级的安全设置
            <message clientCredentialType ="Certificate"/>  证书验证
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
  </system.serviceModel>
</configuration>

 

客户端配置:

App.Config

<configuration>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBinding_ICalc"/>
          <security mode="Message">      消息级的安全设置
            <message clientCredentialType="Certificate" /> 证书验证
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name ="clientBehavior">
          <clientCredentials>              客户端证书
            <clientCertificate findValue ="clientcert" storeLocation ="CurrentUser" storeName ="My" x509FindType ="FindBySubjectName" />
            <serviceCertificate>
              <authentication certificateValidationMode ="PeerOrChainTrust"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>
      <endpoint address="http://10.205.174.142:8080/WCFSecurity/service"
        binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ICalc" behaviorConfiguration ="clientBehavior"
        contract="SecurityClient.ICalc" name="BasicHttpBinding_ICalc" >
        <identity>                        服务器端证书
          <certificateReference findValue="servercert" storeLocation ="CurrentUser" storeName ="My" x509FindType ="FindBySubjectName"/>
        </identity>
      </endpoint >
    </client>
  </system.serviceModel>
</configuration>

 

常见错误分析:

1.客户端Cannot load the X.509 certificate identity specified in the configuration.

原因:Personal存储区下找不到服务器证书.

解决方法:将服务端证书导入到客户端机器的Current User证书存储区的Personal和Trusted Person下.

 

2.客户端The X.509 certificate CN=servercert is not in the trusted people store. The X.509 certificate CN=servercert chain building failed. The certificate that was use has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

原因:trust people下找不到服务器证书

解决方法:将服务端证书导入到客户端机器的Current User证书存储区的Personal和Trusted Person下.

 

3.客户端An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.At least one security token in the message could not be validated.

原因:服务器端Truested Person下找不到客户端证书

解决方法:将客户端证书导入到服务端机器的LocalMachine证书存储区的Trusted Person下.