[英]WFC X509 certificate does not work with WSHttpBinding due to missing private key
同事,
當我嘗試將X509證書與.cer文件中的公鑰一起使用時,出現以下異常:
{“證書“ CN =名稱”必須具有私鑰。該進程必須具有對該私鑰的訪問權限。”}
這是我用來設置證書的客戶端代碼。 請注意,它是基於文件的。
var cert = new X509Certificate2(@"C:\mycert.cer");
credentials.ServiceCertificate.Authentication.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
credentials.ClientCertificate.Certificate = cert;
主機代碼:
namespace Host
{
class Program
{
static void Main(string[] args)
{
using (ServiceHost host = new ServiceHost(typeof(HelloIndigo.HelloIndigoService),
new Uri("http://localhost:8000/HelloIndigo")))
{
host.Open();
Console.WriteLine("Service is listening...");
Console.WriteLine();
Console.WriteLine("Number of base addresses: {0}", host.BaseAddresses.Count);
foreach (Uri uri in host.BaseAddresses)
{
Console.WriteLine("\t{0}", uri.ToString());
}
Console.WriteLine();
Console.WriteLine("Number of dispatchers (listeners): {0}", host.ChannelDispatchers.Count);
foreach (ChannelDispatcher dispatcher in host.ChannelDispatchers)
{
Console.WriteLine("\t{0}, {1}", dispatcher.Listener.Uri.ToString(), dispatcher.BindingName);
}
Console.WriteLine();
Console.WriteLine("Press <ENTER> to terminate the host application");
Console.ReadLine();
}
}
}
}
主機App.config:
<?xml version="1.0"?>
<configuration>
<system.serviceModel>
<services>
<service name="HelloIndigo.HelloIndigoService" behaviorConfiguration="serviceBehavior">
<endpoint contract="HelloIndigo.IHelloIndigoService" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding"/>
<endpoint contract="IMetadataExchange" binding="wsHttpBinding" bindingConfiguration="mexBinding" address="mex"/> <!-- -->
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="mexBinding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
<binding name="wsHttpBinding">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" trustedStoreLocation="LocalMachine"/>
</clientCertificate>
<serviceCertificate findValue="name" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<diagnostics performanceCounters="ServiceOnly" wmiProviderEnabled="true">
<messageLogging logEntireMessage="true" logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" maxMessagesToLog="100000"/>
</diagnostics>
</system.serviceModel>
<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup></configuration>
我能正常工作的唯一方法是使用公鑰/私鑰和密碼在pfx中生成證書,但我認為始終在客戶端上使用密碼並不安全。 有什么方法可以僅使用公共密鑰來針對服務驗證客戶端?
我的問題的答案是,要保證私鑰的安全性(這顯然是使用基於文件的客戶端證書的首要問題),首先需要將其導入商店,然后通過API查找從商店中使用它。 。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.