自托管WCF SSL
[英]Self Hosted WCF SSL
问题描述
Just a quickie. 
只是个快手。
I am not sure how to approach securing a self hosted WCF service with an SSL certificate. 我不确定如何使用SSL证书来保护自托管WCF服务。 When buying an SSL certificate, I need to do a certificate request based on the FQDN. 购买SSL证书时,我需要根据FQDN进行证书请求。
Using a self hosted WCF service, 使用自托管的WCF服务,
- How do I generate a certificate request for a self hsoted WCF service? 如何为自定义的WCF服务生成证书请求?
- How do I implement the FQDN for a certificate for a self hosted service? 如何为自托管服务的证书实现FQDN? The self hsoted service is accessed on a dynamic DNS name and a port. 可以通过动态DNS名称和端口访问自托管服务。
Should I just generate a self signed certificate and use that? 我应该只生成一个自签名证书并使用它吗?
Regards 问候
2 个解决方案
解决方案1
1 2013-09-26 15:05:49
The following link demonstrates the process and enumerates the steps for establishing a certificate signing request. 以下链接演示了该过程并列举了建立证书签名请求的步骤。
http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx http://technet.microsoft.com/zh-CN/library/ff625722(v=ws.10).aspx
We specify the following for our self-hosted WCF SSL services: 我们为自托管WCF SSL服务指定以下内容:
On the Subject tab: 在主题选项卡上:
1. In the Subject name area under Type, click Common Name. 1.在“类型”下的“主题名称”区域中,单击“通用名称”。
2. In the Subject name area under Value, enter the fully qualified domain name, and then click Add. 2.在“值”下的“使用者名称”区域中,输入标准域名,然后单击“添加”。
3. In the Alternative name area under Type, click DNS. 3.在“类型”下的“备用名称”区域中,单击“ DNS”。
4. In the Alternative name area under Value, enter the fully qualified domain name, and then click Add. 4.在“值”下的“备用名称”区域中,输入标准域名,然后单击“添加”。
On the Extensions tab: 在扩展选项卡上:
1. Click the Key usage arrow. 1.单击密钥用法箭头。 In the Available options list, click Digital signature, and then click Add. 在“可用选项”列表中,单击“数字签名”,然后单击“添加”。 Click Key encipherment, and then click Add. 单击“密钥加密”,然后单击“添加”。
2. Click the Extended Key Usage (application policies) arrow. 2.单击扩展密钥用法(应用程序策略)箭头。 In the Available options list, click Server Authentication and Client Authentication, and then click Add. 在可用选项列表中,单击服务器身份验证和客户端身份验证,然后单击添加。
解决方案2
0 2013-09-26 14:48:04
The SSL certificate has two parts to it that you need to know about. SSL证书有两个部分,您需要了解。 The first is the host. 首先是主持人。 This is sent back to the client, so they can verify that the SSL certificate is for what you THINK you were connecting to. 这被发送回客户端,因此他们可以验证SSL证书是否适合您所想的内容。
So your host name NEEDS to match the address you are using to connect to the WCF service. 因此,您的主机名需要与您用于连接WCF服务的地址匹配。
The second part is the signature. 第二部分是签名。 This is to verify the SSL certificate has not been changed since it was issued. 这是为了验证SSL证书自颁发以来没有被更改过。 Think of it as a Counter Signature on your rental agreement. 将其视为您的租赁协议上的反签名。
Now what a Self Signed certificate means...well its exactly what it says on the tin. 现在,“自签名”证书的含义是……以及它在罐子上的确切含义。 Your computer signed it. 您的计算机对其进行了签名。 Where as normally you would pay a Certificate Authority to sign it (think of it like getting a Judge to Counter Sign your rental agreement). 通常,您需要在证书颁发机构签署该证书(在这种情况下,这就像让法官反签您的租赁协议一样)。
So the down side of the Self Signed cert is that no one trusts it, and for good reason. 因此,自签名证书的缺点是没有人信任它,这是有充分理由的。
For 99% of cases, your self signed cert is not going to be trusted by anyone. 在99%的情况下,您的自签名证书将不会被任何人信任。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.