一 概念
1、内容
证书的发布机构
证书的有效期
证书所有者(Subject)
签名所使用的算法
指纹以及指纹算法
公钥
私钥
2、存储区
3、有效性
二 作用
1、增强传输的安全性与消息的完整性
防止消息被查看与篡改
2、保证发信的不可抵赖性
三 创建、查看、导入、导出
1、运行命令“makecert -r -pe -n "CN=MyServer" -ss My -sky exchange”,创建并存储证书
2、运行“mmc”命令,弹出“Microsoft管理控制台”窗体。在此进行证书的查看、导入、导出等工作。
四 在WCF中使用X.509证书
WCF服务端
1、需要一个包含私钥的数字证书
makecert -r -pe -n "CN=MyServer" -ss My -sky exchange
2、Binding的Security模式设置为“Certificate”
代码方式
public class CustomX509CertificateValidator : X509CertificateValidator
{
public override void Validate(X509Certificate2 certificate)
{
}
}
var binding = new NetTcpBinding
{
Security =
{
Mode = SecurityMode.Message,
Message = { ClientCredentialType = MessageCredentialType.Certificate },
},
};
host.AddServiceEndpoint(contract, binding, contract.Name);
var serviceBehaviors = new List<IServiceBehavior>();
var serviceCredentials = new ServiceCredentials();
//设置数字证书
serviceCredentials.ServiceCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, "MyServer");
//设置数字证书的有效性验证模式
serviceCredentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
serviceCredentials.ClientCertificate.Authentication.CustomCertificateValidator = new CustomX509CertificateValidator();
serviceBehaviors.Add(serviceCredentials);
foreach (var serviceBehavior in _serviceBehaviors)
{
if (host.Description.Behaviors.Contains(serviceBehavior.GetType()))
host.Description.Behaviors.Remove(serviceBehavior);
host.Description.Behaviors.Add(serviceBehavior);
}
WCF客户端
1、需要一个包含私钥的数字证书
makecert -r -pe -n "CN=MyClient" -ss My -sky exchange
2、Binding的Security模式设置为“Certificate”
代码方式
static ChannelFactory<T> GetFactory<T>(object callbackObject)
where T : IServiceContract
{
//获取数字证书
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindBySubjectName, "MyClient", false);
if (certs.Count == 0)
throw new SecurityException("客户端未安装数字证书");
var cert = certs[0];
var binding = new NetTcpBinding(Properties.Settings.Default.BindingConfigurationName);
var address = new EndpointAddress(
new Uri(string.Format("{0}/{1}", Properties.Settings.Default.EndpointAddress, typeof(T).Name))
//, EndpointIdentity.CreateDnsIdentity("MyServer")
);
var factory = (callbackObject == null)
? new ChannelFactory<T>(binding, address)
: new DuplexChannelFactory<T>(callbackObject, binding, address);
var cc=factory.Endpoint.Behaviors.Find<ClientCredentials>();
cc.ClientCertificate.Certificate = cert;
cc.ServiceCertificate.Authentication.CertificateValidationMode=X509CertificateValidationMode.None;
return factory;
}
配置方式
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding">
<security mode="Message">
<message clientCredentialType="Certificate" algorithmSuite="Default" />
</security>
</binding>
</netTcpBinding>
</bindings>