简体繁体 English

VS2010中的C＃，使用WCF，分层证书和IIS6

[英]C# in VS2010, using WCF, Hierachical Certificates and IIS6

原文 2010-10-06 21:07:51 7 1 c#/ wcf/ visual-studio-2010/ iis-6/ ssl-certificate

We've been working a lot in an application developed in VS 2010, C#, and WCF. 我们已经在VS 2010，C＃和WCF中开发的应用程序中进行了大量工作。 We use Transport as the security mode, and in the TransportSecurity Properties set to None and None. 我们使用传输作为安全模式，并在TransportSecurity属性中将其设置为None和None。

We are hosting the service in IIS6. 我们在IIS6中托管该服务。 After working a lot we managed to make it work using https. 经过大量工作后，我们设法使用https使其工作。 The Certificate we used was a self created one, created with the selfssl.exe tool. 我们使用的证书是使用selfssl.exe工具创建的自创建证书。 After creating the Certificate and storing it in the "Trusted Certificates" list, we set it as the Server Certificate in IIS for our Site, and also do the "binding" between the Certificate Thumbprint and the localhost address with the 443 port, using the httpcfg tool. 创建证书并将其存储在“受信任的证书”列表中后，我们将其设置为站点中IIS中的服务器证书，并使用443端口在证书指纹和本地主机地址之间进行“绑定”。 httpcfg工具。

Well, we also use the famous piece of code not recommended for production (we are aware of that) that enables the validation of a Certificate that is not issued by a valid Certification Authority. 嗯，我们还使用了不推荐用于生产的著名代码（我们知道），它可以验证不是由有效证书颁发机构颁发的证书。 This piece of code we took it from the MSDN WCF Hands On Lab. 这一段代码是我们从MSDN WCF动手练习中获得的。 In this piece of code we give it the CN=NAME of the certificate and it works. 在这段代码中，我们为它提供证书的CN = NAME，它可以正常工作。

Ok, we finally got it to work. 好的，我们终于让它工作了。 This was all in development. 这一切都在开发中。 Now we are in the testing stage and they agreed to use the piece of code that enables the certificate. 现在我们处于测试阶段，他们同意使用启用证书的代码段。 The problem is that the Certificate that we need to use, after setting it in the IIS and setting it to use the famous piece of code, it doesn't work. 问题在于，我们需要使用的证书在IIS中设置并设置为使用著名的代码后，就无法使用。

The error we get is this one (only showing the first part of the error and not the stack trace): 我们得到的错误就是这个错误（仅显示错误的第一部分，而不显示堆栈跟踪）：

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority '172.30.224.46'. System.ServiceModel.Security.SecurityNegotiationException：无法为具有权限“ 172.30.224.46”的SSL / TLS安全通道建立信任关系。 ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Net.WebException：基础连接已关闭：无法建立SSL / TLS安全通道的信任关系。 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. ---> System.Security.Authentication.AuthenticationException：根据验证过程，远程证书无效。

The new Certificate is issued by their own Certification Authority, and it has several differences in comparison with our Self-Generated one, for example the "Usage" properties are different, or for example our Certificate has a "Enhanced Usage" property and theirs don't. 新证书是由其自己的证书颁发机构颁发的，与我们自己生成的证书相比，它具有几个差异，例如，“用法”属性不同，或者例如，我们的证书具有“增强用法”属性，没错

The other great difference we notice in the Certificate is that theirs is part of a hierarchy of Certificates, where they have a Trusted Root Certificate, then an Intermediate Certification Authoity and the Certificate to use in the Server is under that Intermediate one. 我们在证书中注意到的另一个巨大区别是，它们是证书层次结构的一部分，它们具有受信任的根证书，然后是中级证书颁发机构，并且要在服务器中使用的证书位于该中级证书之下。

Is a special configuration needed to support this kind of certificates that are part of a hierachy? 是否需要特殊的配置来支持这种属于层次结构的证书？ What can you guys tell us about this? 你们能告诉我们些什么？ .... we need some help :S ....我们需要一些帮助：S

We also made a test creating a Self-Signed Certificate and all the steps needed to set it up in their environment, and the application works. 我们还进行了测试，以创建自签名证书以及在其环境中进行设置所需的所有步骤，然后该应用程序正常运行。

Thanks for your help and attention, 感谢您的帮助和关注，

Andrey Gonzalez 安德烈·冈萨雷斯（Andrey Gonzalez）

1 个解决方案

Usually you get this error when the server name stored in the certificate is different from the hostname you use on the client to refer to the server. 通常，当证书中存储的服务器名称与客户端上用于引用服务器的主机名不同时，会出现此错误。

For example, your server certificate is issued for "yourserver.com" and you are trying to access it from the client using only "yourserver" or its IP address. 例如，您的服务器证书是为“ yourserver.com”颁发的，而您正尝试仅使用“ yourserver”或其IP地址从客户端进行访问。