简体繁体 English

具有相同自签名证书的多种服务

[英]multiple services with same self-signed certificate

原文 2009-11-11 18:32:03 8 3 .net/ wcf/ certificate/ monitoring

I've got a WCF intranet application I'm working on that will have 150 clients controlled/monitored by a control application. 我有一个正在使用的WCF Intranet应用程序，它将有150个由控制应用程序控制/监视的客户端。 Is it kosher to create a self-signed certificate and install this same certificate on each of the 150 clients? 是否可以创建自签名证书并在150个客户端中的每个客户端上安装此相同证书？

I want security between the client and server but will not have authentication support from a domain controller et al. 我希望客户端和服务器之间具有安全性，但是将不具有域控制器等提供的身份验证支持。

Any pitfalls in using the same certificate on all these clients? 在所有这些客户端上使用相同证书有什么陷阱？

3 个解决方案

If the certificate is compromised, you will need to revoke it, generate a new one, and install it on every machine. 如果证书被破坏，则需要吊销它，生成一个新证书，然后将其安装在每台计算机上。 If each machine had their own, you would only need to revoke the one that can no longer be trusted, generate a new one, then install once. 如果每台计算机都有自己的计算机，则只需撤销不再受信任的计算机，生成新计算机，然后安装一次即可。

The pitfall is you won't really be able to distinguish between them unless they're passing some other form of identity along with the request. 陷阱是，除非他们在请求中传递其他形式的身份，否则您将无法真正区分它们。 Plus, if one of them is compromised, you essentially have to shut your entire service off because they all use the same certificate. 另外，如果其中之一遭到破坏，则实际上必须关闭所有服务，因为它们都使用相同的证书。 IMHO you want to create a client certificate per partner to avoid these problems. 恕我直言，您想为每个合作伙伴创建一个客户端证书，以避免出现这些问题。

The question I have though is, why aren't you just using transport security (ie SSL) instead of message security if all you care about is securing the communication and not providing identity? 但是，我的问题是，如果您关心的只是保护通信安全而不提供身份，为什么不只使用传输安全性（即SSL）而不是消息安全性呢？

absolutely not. 绝对不。 Websites use the same certificate for thousands/millions of users. 网站对成千上万的用户使用相同的证书。 Only the server will be able to decrypt the information of each client. 只有服务器才能解密每个客户端的信息。