安全的自托管WCF服务:从文件加载证书
[英]Secured selfhosted WCF service: load certificate from file
问题描述
I have a selfhosted WCF service publishing a REST web API. 
我有一个自托管的WCF服务,它发布了REST Web API。 The service is configured programmatically, and currently is correctly working via HTTP. 该服务是通过程序配置的,目前可以通过HTTP正常运行。 Now I need to make it work over HTTPS, with an authentication based on certificate file. 现在,我需要使它通过基于证书文件的身份验证在HTTPS上运行。 I know the suggested way to do this is installing the certificate in the Windows Certificate Store on the server machine, but this way is not possible in my circumstances. 我知道执行此操作的建议方法是在服务器计算机上的Windows证书存储中安装证书,但是在我的情况下这种方法是不可能的。 I need to load the certificate from the file. 我需要从文件中加载证书。
After some resarches, I wrote my code, but when I try accessing the web service, a System.ServiceModel.CommunicationException is thrown, with the message: An error occurred while making the HTTP request to ... This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. 经过一些重新搜索之后,我编写了代码,但是当我尝试访问Web服务时,抛出System.ServiceModel.CommunicationException并显示以下消息:发出HTTP请求时出现错误...这可能是由于事实在HTTPS情况下,服务器证书未使用HTTP.SYS正确配置。 This could also be caused by a mismatch of the security binding between the client and the server. 这也可能是由客户端和服务器之间的安全绑定不匹配引起的。
Here's my code for the server side: 这是我在服务器端的代码:
_host = new WebServiceHost(_hostedService, Uri);
//Configuring the webHttpBinding settings
var httpBinding = new WebHttpBinding();
httpBinding.Security.Mode = WebHttpSecurityMode.Transport;
httpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
httpBinding.SendTimeout = new TimeSpan(0, 5, 0);
httpBinding.MaxBufferSize = 2147483647;
httpBinding.MaxBufferPoolSize = 2147483647;
httpBinding.MaxReceivedMessageSize = 2147483647;
httpBinding.ReaderQuotas.MaxDepth = 2147483647;
httpBinding.ReaderQuotas.MaxStringContentLength = 2147483647;
httpBinding.ReaderQuotas.MaxArrayLength = 2147483647;
httpBinding.ReaderQuotas.MaxBytesPerRead = 2147483647;
httpBinding.ReaderQuotas.MaxNameTableCharCount = 2147483647;
//Add the endpoint with the webHttpBinding settings to the WebServiceHost configuration
_host.AddServiceEndpoint(typeof(IService), httpBinding, Uri);
ServiceDebugBehavior stp = _host.Description.Behaviors.Find<ServiceDebugBehavior>();
stp.HttpHelpPageEnabled = false;
ServiceBehaviorAttribute sba = _host.Description.Behaviors.Find<ServiceBehaviorAttribute>();
sba.InstanceContextMode = InstanceContextMode.Single;
ServiceMetadataBehavior smb = new ServiceMetadataBehavior() { HttpsGetEnabled = true };
_host.Description.Behaviors.Add(smb);
X509Certificate2 trustedCertificate = new X509Certificate2("certificate.pfx", "password");
_host.Credentials.ServiceCertificate.Certificate = trustedCertificate;
_host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
Here's my code for the client side: 这是我的客户端代码:
var httpBinding = new WebHttpBinding();
httpBinding.Security.Mode = WebHttpSecurityMode.Transport;
httpBinding.Security.Transport = new HttpTransportSecurity() { ClientCredentialType = HttpClientCredentialType.Certificate };
var httpUri = new Uri(String.Format("https://{0}:{1}", ipAddress, tcpPort));
var httpEndpoint = new EndpointAddress(httpUri);
var newFactory = new ChannelFactory<IService>(httpBinding, httpEndpoint);
newFactory.Endpoint.Behaviors.Add(new WebHttpBehavior());
X509Certificate2 trustedCertificate = new X509Certificate2("certificate.pfx", "password"); //SSL
newFactory.Credentials.ClientCertificate.Certificate = trustedCertificate;
var channel = newFactory.CreateChannel();
var response = channel.Ping("helo");
The Exception is thrown on the last line (channel.Ping("helo")). 在最后一行(channel.Ping(“ helo”))上引发异常。
I need to make it work WITHOUT installing the certificate on the server machine. 我需要使其无需在服务器计算机上安装证书即可工作。
Thank you very much. 非常感谢你。
Bye. 再见。
1 个解决方案
解决方案1
0 已采纳 2019-03-06 07:01:09
As far as I know, when we host the self-hosted WCF service over Https, whatever way we use (load certificate file or configure the certificate via Windows Certificate Store), it is impossible to make the service works normally. 据我所知,当我们通过Https托管自托管的WCF服务时,无论使用哪种方式(加载证书文件或通过Windows证书存储区配置证书),都无法使该服务正常工作。 The only way we need to do is binding the certificate manually by using the following command. 我们唯一需要做的方法是使用以下命令手动绑定证书。
netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Here is official document, wish it is useful to you. 这是正式文件,希望对您有用。
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-configure-a-port-with-an-ssl-certificate https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-configure-a-port-with-an-ssl-certificate
https://docs.microsoft.com/en-us/windows/desktop/http/add-sslcert https://docs.microsoft.com/en-us/windows/desktop/http/add-sslcert
Here are some examples were ever written by me. 这是我写过的一些例子。
WCF Service over HTTPS without IIS, with SSL Certificate from CERT and KEY strings or files 不带IIS的HTTPS上的WCF服务,带有来自CERT和KEY字符串或文件的SSL证书
Chrome (v71) ERR_CONNECTION_RESET on Self Signed localhost on Windows 8 Embedded Windows 8 Embedded的自签名本地主机上的Chrome(v71)ERR_CONNECTION_RESET
Feel free to let know if there is anything I can help with. 随时告诉我有什么可以帮助的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.