堆栈内存溢出
  简体   繁体   English

WCF方案中的自签名证书性能

[英]Self-signed certificates performance in WCF scenarios

 原文  2010-11-04 09:30:02       wcf/ performance/ certificate

问题描述

I read that self-signed certificates suffer from performance issues (for example, here ) but which ones exactly? 我读到自签名证书会遇到性能问题(例如, 这里 ),但究竟是哪些? I can guess this can be related to revocation checks or something but not sure. 我猜这可能与撤销检查有关,但不确定。

1 个解决方案

解决方案1
 6 已采纳  2010-11-08 12:11:24

I disagree with the article about "performance problems" in using of certificates created by MakeCert.exe . 我不同意使用MakeCert.exe创建的证书中的“性能问题” 这篇文章

If no revocation information will be included in the created certificate then no performance loss can be because of revocation. 如果创建的证书中不包含任何吊销信息,则因撤销而不会导致性能损失。 Probably the only thing which is specific for using of self-signed certificate is following: you should include the self-signing certificate in the Root certificates store (Trusted Root Certification Authorities) or more better in the AuthRoot certificates store (Third-Party Root Certificate Authorities) on all computers which will use it . 可能唯一特定于使用自签名证书的内容如下:您应该在AuthRoot证书存储区(第三方根证书)中将自签名证书包含在Root证书存储区(受信任的根证书颁发机构)中或更好当局将在所有将使用它的计算机上 After this your self-signing certificate will be not more worth as VeriSign root certificate in the most scenarios. 在此之后,在大多数情况下,您的自签名证书将不再像VeriSign根证书那样值得。 Of cause this way is possible only inside of one company and can be difficult used in the enterprise scenarios with a lot of independent client computers. 因为这种方式只能在一家公司内部使用,并且很难在具有大量独立客户端计算机的企业场景中使用。

By the way it is possible to create a simple PKI with respect of MakeCert.exe utility. 顺便说一下,可以创建一个关于MakeCert.exe实用程序的简单PKI。 For example you can create the self-sign root certificate of your mini CA: 例如,您可以创建迷你CA的自签名根证书: 

MakeCert.exe -pe -ss MY -a sha1 -cy authority -len 4096 -e 12/31/2020 -r 
             -n "CN=My Company Root Authority,O=My Company,C=DE" MyCompany.cer

then you can create an additional child certificate 然后您可以创建一个额外的子证书 

MakeCert.exe -pe -ss MY -a sha1 -len 2048 -e 12/31/2020 -eku 1.3.6.1.5.5.7.3.2
             -n "CN=My Name,O=My Company" -sky exchange
             -is MY -in "My Company Root Authority"

You can choose different enhanced key usage OIDs in the eku switch depends from the scenarios in which you want use the certificate. 您可以在eku交换机中选择不同的增强型密钥用法OID,这取决于您要使用证书的方案。

To add the root certificate of your mini CA in the AuthRoot certificate store (Third-Party Root Certificate Authorities) we can use for example CertMgr.exe utility 要在AuthRoot证书存储区(第三方根证书颁发机构)中添加迷你CA的根证书,我们可以使用例如CertMgr.exe实用程序 

CertMgr.exe -add -c MyCompany.cer -s -r localMachine AuthRoot

You can also create and use Certificate Revocation List File if it needed for your scenario. 如果您的方案需要,您还可以创建和使用证书吊销列表文件

See How to: Create Temporary Certificates for Use During Development and other How to Articles for more examples. 有关更多示例,请参见如何:在开发期间创建临时证书以及其他如何使用文章

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 具有对等信任和自签名客户端证书的WCF传输安全性 - WCF Transport security with peertrust and self-signed client certificates 可以使用WCF自签名证书吗? - Can using self-signed certificates with WCF be secure? WCF:尝试使用自签名证书和'PeerTrust'设置双向相互SSL身份验证 - WCF: Attempting to set up Two-way mutual SSL Authentication with self-signed certificates and 'PeerTrust' WCF,自签名加密证书 - WCF, self signed Certificates for Encryption 在WCF中使用创建自签名证书 - Using creating self-signed certificate in WCF 使用自签名证书的WCF服务 - consuming WCF service with self-signed certificate WCF客户端自签名证书 - WCF client self-signed certificate 是否可以强制WCF测试客户端接受自签名证书? - Is it possible to force the WCF test client to accept a self-signed certificate? 如何在WCF客户端中接受自签名SSL证书? - How to accept a self-signed SSL certificate in a WCF client? Android使用自签名客户端证书身份验证连接到IIS中的WCF休息服务 - Android connect to a WCF rest service in IIS with self-signed client-certificate authentication
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM