通过IIS使用本地证书
[英]Using local certificates by IIS
问题描述
I've developed Web API service, that makes request ot another Web API, that need a personal certificate. 
我已经开发了Web API服务,该服务可以要求另一个需要个人证书的Web API。
When I developed this service on my local PC, I've just used HttpClient like this: 当我在本地PC上开发此服务时,我像这样使用了HttpClient:
_handler = new HttpClientHandler()
{ ClientCertificateOptions = ClientCertificateOption.Automatic };
_client = new HttpClient(_handler);
And my personal certificate was taken from my PC. 我的个人证书是从我的PC上获得的。
Then I wanted to publish my project to IIS 8 on Windows Server 2012 R2. 然后,我想将项目发布到Windows Server 2012 R2上的IIS 8。
First I've installed all certificates on server and set up Application pool in IIS, IIS is launched by service user, but my API application use pool of my account (certificate is binded to it). 首先,我已经在服务器上安装了所有证书,并在IIS中设置了应用程序池,IIS由服务用户启动,但是我的API应用程序使用了我帐户的池(证书已绑定到该池)。 But when I'm trying to make a request, I get an exception like this: 但是,当我尝试发出请求时,出现如下异常:
<InnerException>
<Message>An error has occurred.</Message>
<ExceptionMessage>An error occurred while sending the request.</ExceptionMessage>
<ExceptionType>System.Net.Http.HttpRequestException</ExceptionType>
<StackTrace/>
<InnerException>
<Message>An error has occurred.</Message>
<ExceptionMessage>
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
</ExceptionMessage>
<ExceptionType>System.Net.WebException</ExceptionType>
<StackTrace>
at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context) at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
</StackTrace>
<InnerException>
<Message>An error has occurred.</Message>
<ExceptionMessage>
The remote certificate is invalid according to the validation procedure.
</ExceptionMessage>
<ExceptionType>
System.Security.Authentication.AuthenticationException
</ExceptionType>
<StackTrace>
at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
</StackTrace>
</InnerException>
</InnerException>
</InnerException>
I think that my problem is that IIS can't use certificates, that I've installed on Windows Server. 我认为我的问题是IIS无法使用我已经在Windows Server上安装的证书。
How can I solve this? 我该如何解决?
2 个解决方案
解决方案1
1 2018-10-05 07:24:39
The certificate must first of all be trusted, also access to reading the certificate can sometimes be a problem. 首先必须信任证书,而且有时读取证书的访问也会成为问题。 check that IIS_IUSERS (app pool user) has read access: 检查IIS_IUSERS(应用程序池用户)是否具有读取访问权限:
A better solution might be to create a real certificate (non-selfsigned) especially if this is a public api. 更好的解决方案可能是创建一个真实的证书(非自签名),尤其是在这是一个公共api的情况下。
Those no longer cost money, with services like let's encrypt and tools for IIS like win-acme (former lets-encrypt-win-simple) it will generate certificates for you for all bindings in your IIS but also has a lot of other options. 那些不再花钱的服务,包括让我们进行加密的服务以及诸如win-acme (以前的lets-encrypt-win-simple)之类的IIS工具,它将为您生成IIS中所有绑定的证书,但还有很多其他选择。
解决方案2
-2 2018-10-05 07:24:56
Use this before your call to HttpClient . 在调用HttpClient之前使用它。 Remember this code is only for development machines. 请记住,此代码仅适用于开发机器。 DO not use this in production 请勿在生产中使用
ServicePointManager.ServerCertificateValidationCallback =
delegate (
object s,
X509Certificate certificate,
X509Chain chain,
SslPolicyErrors sslPolicyErrors
) {
return true;
};
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.