WCF 相互证书的消息安全
下面是MSDN提供的方案。演示使用消息安全模式保护的 Windows Communication Foundation (WCF) 服务和客户端。 使用证书对客户端和服务进行身份验证。
实例代码下载
创建服务及客户端证书
相互证书的信息安全需要服务端和客户端进行相互验证,因此我们需要2个证书:服务端证书和客户端证书。接下来我们通过.NET自带的makecert.exe 先创建两个X.509证书:WCF.SecuritySampleCA(服务端)和WCF.SecuritySampleClientCA(客户端)。
Note:以下生成证书过程均在服务端完成。makecert.exe生成的证书只能作为开发测试使用,在正式部署时请不要使用。
创建服务端证书
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
LocalMachine:证书存储在本机。
WCF.SecuritySampleCA:证书的Subject名称。
授予对证书私钥的权限
创建Setup.bat 文件,内容如下。目的是使存储在 LocalMachine 存储中的服务器证书可以供 ASP.NET 工作进程帐户访问。
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
注意:
如果您使用的是非美国 英文版本的 Microsoft Windows,则必须编辑 Setup.bat 文件,并用与您所在的区域对应的帐户名称替换“NT AUTHORITY\NETWORK SERVICE”帐户名称。
FindPrivateKey.exe可以在实例代码包中找到。
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
导出服务端证书
服务端证书需要在客户端安装,因此需要导出后一起发布到客户端。
1.在运行窗口键入mmc打开证书管理器
2.选择File中的Add/Remove Snap-in
3.弹出窗口中选择Add...
4.选择Certificates -> Add
5.选择Computer account -> Next
6.选择LocalComputer -> Finish
7.Ok后即可进入管理页面
8.右键点击Personal下的Certificates中WCF.SecuritySampleCA
9.All tasks -> Export...
10.按照提示导出服务端证书WCF.SecuritySampleCA.cer,注意不要导出私钥(No,don't export private key)
导出客户端证书
导出后需要在客户端进行安装。
按照上面同样的方法导出客户端证书WCF.SecuritySampleClientCA.cer
创建WCF Service
在解决方案中创建一个WCF Service项目Service.Message.MutualCertificate,引用WcfSecuritySampleLibrary项目。 点击此处查看WcfSecuritySampleLibrary相关内容。
配置文件如下:
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
在IIS上部署WCF Service
编译通过后,将WCF Service部署到IIS上。
创建站点 WCF.SecuritySampleService,然后为该站点绑定服务证书:
1.右键Properties -> Dictionary Security -> Server Cetificate
2.根据提示选择Assign an existing certificate, 然后选择证书WCF.SecuritySampleCA
3.设置端口
证书绑定后,即可添加一个虚拟目录创建WCF Service。
![](https://images.cnblogs.com/cnblogs_com/syringa-flz/iis.jpg)
使用浏览器浏览该Service中的 Service.svc,配置成功的话,即可打开如下页面:
![](https://images.cnblogs.com/cnblogs_com/syringa-flz/servicepage1.jpg)
在Visual Studio 命令提示窗口键入如下命令,生成代理类Service.cs及客户端配置文件output.config。
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
创建客户端
解决方案中创建客户端项目Client.Message.MutualCertificate。具体实现参见实例中的2个项目Client.Message.MutualCertificate和BusinessLibrary。
安装证书
消息安全的互相验证需要在客户端安装服务端和客户端2个证书。安装方法很简单,只要双击在服务端导出的2个证书WCF.SecuritySampleCA.cer和WCF.SecuritySampleClientCA.cer,根据提示安装即可。
例如安装服务端证书:(服务端证书需要安装在客户端CurrentUser的Trusted People中)
1.双击证书
2.点击Install Certificate...
3.下一步后选择Place all certificates in the following store,然后点击Browse...
![](https://images.cnblogs.com/cnblogs_com/syringa-flz/installcer.jpg)
4.弹出窗口中选择Trusted People
![](https://images.cnblogs.com/cnblogs_com/syringa-flz/installcerTP.jpg)
5.OK.
客户端证书的安装步骤如上,唯一的区别是最后选择证书存储的路径不是Trusted People而是Personal。
客户端配置
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)