WCF 服务和自定义 CA

WCF service and custom CA

我已经使用 openssl 创建了自定义证书颁发机构 (CA)。然后我使用前一个证书和来自 IIS 的请求创建了证书。所以现在我有了证书链。然后我将第二个绑定到我的 WCF 服务,一切都很好。然后在客户端上,我在受信任的根证书颁发机构中安装了我的 CA 证书,以使其能够识别我的自定义证书。 我的 WCF 服务目前 运行 在简单的 http 连接上。 服务器端:

<system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior name="SyncWcfServices.MainServiceBehavior">
                <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
                <serviceDebug includeExceptionDetailInFaults="true" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <bindings>
        <wsHttpBinding>
            <binding name="ExtendedMaxSize" maxReceivedMessageSize="2147483647">
                <security mode="None">
                    <transport clientCredentialType="None"></transport>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <services>
        <service name="SyncWcfServices.MainService" behaviorConfiguration="SyncWcfServices.MainServiceBehavior">
            <endpoint address="/syncService.svc" binding="wsHttpBinding" bindingConfiguration="ExtendedMaxSize" contract="SyncWcfServices.IMainService"></endpoint>
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"></endpoint>
        </service>
    </services>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>

客户端:

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_IMainService" maxReceivedMessageSize="2147483647" sendTimeout="00:10:00">
                <security mode="None" />
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost/SyncService/SyncService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IMainService"
contract="SyncServiceReference.IMainService" name="WSHttpBinding_IMainService" />
    </client>
</system.serviceModel>

所以,我需要更改此设置以支持 SSL 连接。我已经阅读了很多 post 如何做到这一点,但总是使用 2 向认证检查,这意味着服务器必须检查客户端证书,客户端必须检查服务器证书。但我只希望客户端使用我安装的 CA 检查服务器证书。服务器将像以前一样使用普通凭据(用户名、密码)进行检查。我认为我必须将安全模式更改为双方的传输,并将服务器 mex 端点更改为 mexHttpsBinding,但接下来我应该做什么?请帮忙解决。 谢谢大家!

终于找到正确的方法了!所以服务器端:

    <system.serviceModel>
    <behaviors>
        <serviceBehaviors>
            <behavior name="SyncWcfServices.MainServiceBehavior">
                <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
                <serviceDebug includeExceptionDetailInFaults="true" />
                <serviceCredentials>
                <serviceCertificate
                    findValue = "*.mydomain.com"
                    storeLocation = "LocalMachine"
                    storeName = "My"
                    x509FindType = "FindBySubjectName"
                    />
                </serviceCredentials>
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <bindings>
        <wsHttpBinding>
            <binding name="ExtendedMaxSize" maxReceivedMessageSize="2147483647">
                <security mode="Transport">
                    <transport clientCredentialType="None"></transport>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <services>
        <service name="SyncWcfServices.MainService" behaviorConfiguration="SyncWcfServices.MainServiceBehavior">
            <endpoint address="" binding="wsHttpBinding" bindingConfiguration="ExtendedMaxSize" contract="SyncWcfServices.IMainService"></endpoint>
            <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"></endpoint>
            <host>
                <baseAddresses>
                    <add baseAddress="http://localhost:8095/Design_Time_Addresses/SyncWcfServices/MainService/" />
                </baseAddresses>
            </host>
        </service>
    </services>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>

客户端:

    <system.serviceModel>
    <behaviors>
        <endpointBehaviors>
            <behavior name = "ServiceCertificate">
                <clientCredentials>
                    <serviceCertificate>
                        <authentication certificateValidationMode = "ChainTrust"/>
                    </serviceCertificate>
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
    <bindings>
        <wsHttpBinding>
            <binding name="ExtendedMaxSize" maxReceivedMessageSize="2147483647">
                <security mode="Transport">
                    <transport clientCredentialType="None"></transport>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://localhost/SyncService/SyncService.svc"
         binding="wsHttpBinding" bindingConfiguration="ExtendedMaxSize"
         behaviorConfiguration = "ServiceCertificate"
         contract="SyncServiceReference.IMainService" name="WSHttpBinding_IMainService">
        </endpoint>             
    </client>
</system.serviceModel>

希望对大家有所帮助! 另请参阅 Juval Lowy 和 Michael Montgomery 所著的 "Programming WCF Services"(第 4 版)一书。这是一本好书!