客户端在WCF中是否需要用于用户名身份验证的证书
[英]Does the client need a certificate for username authentication in WCF
问题描述
Does the client need to install a certificate, when using username athentication on a wsHttpBinding with WCF, or is this only needed on the host? 
在带有WCF的wsHttpBinding上使用用户名认证时,客户端是否需要安装证书?还是仅在主机上需要? And in any case, does this certificate need to be signed by a third party or will it also work with a self signed one? 在任何情况下,此证书是否需要由第三方签名,或者也可以与自签名证书一起使用?
My understanding is that i can use a selfSigned certificate and set 我的理解是,我可以使用自签名证书并进行设置
<authentication certificateValidationMode="None" />
on the server side. 在服务器端。 Is this correct? 这个对吗?
And one more thing. 还有一件事。 Do i need to put the cert in any specific store, if i use a self signed cert, or is that all the same? 如果我使用自签名证书,是否需要将证书放在任何特定的商店中? - Answer to self: The store is of no importance as long as the right store is set in code. -自我回答:只要在代码中设置了正确的存储,存储就不重要了。
1 个解决方案
解决方案1
1 2012-12-08 01:00:22
WCF will not permit username authentication without transport mode security which means that you need a certificate. 如果没有传输模式安全性,WCF将不允许用户名身份验证,这意味着您需要证书。
There two ways, as far as I known, to get a proper certificate: 据我所知,有两种方法可以获取适当的证书:
- Purchase one from a trusted Certificate Authority. 从受信任的证书颁发机构购买一个。
- Become a Certificate Authority yourself and create certificates. 自己成为证书颁发机构并创建证书。 This is not very usuful unless you control both side of the conversation. 除非您控制对话双方,否则这不是很有用。 If you decide to make you own certificates you can use MakeCert and Pvk2Pfx or OpenSSL to create chained encrypted certificates. 如果决定自己制作证书,则可以使用MakeCert和Pvk2Pfx或OpenSSL创建链接的加密证书。 Have a look at this how-to article that uses OpenSSL. 看看这篇使用OpenSSL的方法文章 。 Last but not least note that you should keep the private key at a secure location. 最后但并非最不重要的一点是,应将私钥保存在安全的位置。
Now you should have the following files (the names are for demonstrative purposes): 现在,您应该拥有以下文件(名称用于说明目的):
- server.cer (public key for the server) server.cer(服务器的公共密钥)
- server.pfx (key exchange file for the server) server.pfx(服务器的密钥交换文件)
- client.cer (public key for the client) client.cer(客户端的公钥)
- client.pfx (key exchange file for the client) client.pfx(客户端的密钥交换文件)
Then you can do the following: 然后,您可以执行以下操作:
On the server, in the local computer certificate store:
在服务器上,在本地计算机证书存储中: - Import server.pfx to the Personal folder. 将server.pfx导入“个人”文件夹。 This will allow the server to encrypt messages with its private key and to decrypt message that have been encrypted with its public key. 这将允许服务器使用其私钥加密消息,并解密已使用其公钥加密的消息。
- Import client.cer to the Trusted People folder. 将client.cer导入到Trusted People文件夹。 This will allow the server to encrypt message with the client's public key and decrypt messages that have been encrypted with the client's private key. 这将允许服务器使用客户端的公钥加密消息,并解密已使用客户端的私钥加密的消息。
- Import server.pfx to the Personal folder.
On the client, in the local computer certificate store:
在客户端上,在本地计算机证书存储中: - Import client.pfx to the Personal folder. 将client.pfx导入到Personal文件夹。 This will allow the client to encrypt messages with its private key and to decrypt message that have been encrypted with its public key. 这将允许客户端使用其私钥加密消息,并解密已使用其公钥加密的消息。
- Import server.cer to the Trusted People folder. 将server.cer导入Trusted People文件夹。 This will allow the client to encrypt message with the server's public key and decrypt messages that have been encrypted with the server's private key. 这将允许客户端使用服务器的公钥加密消息,并解密已使用服务器的私钥加密的消息。
- Import client.pfx to the Personal folder.
Finally on the configuration file of both client and service set: 最后在客户端和服务集的配置文件上:
<authentication certificateValidationMode="ChainTrust"/>
which will ensure that only certificates that can chain up to a certificate authority in the Trusted Root Store will be valid. 这将确保只有可以链接到“受信任的根存储”中的证书颁发机构的证书才有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.