C# WCF 上的 X.509 证书?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11482624/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
X.509 certificates on WCF?
提问by Nguy?n V?n Th?ng
Problem :
问题 :
I'm developing this program on one machine.
我正在一台机器上开发这个程序。
The service works fine in development server, but when I try to host the service in IIS it gives me an error that:
该服务在开发服务器中运行良好,但是当我尝试在 IIS 中托管该服务时,它给了我一个错误:
Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindBySubjectName', FindValue 'WCFServer'.
无法使用以下搜索条件找到 X.509 证书:StoreName 'My'、StoreLocation 'CurrentUser'、FindType 'FindBySubjectName'、FindValue 'WCFServer'。
So is there anyway I can resolve this? I'm trying this code from
那么无论如何我可以解决这个问题吗?我正在尝试这个代码
http://www.codeproject.com/KB/WCF/9StepsWCF.aspx
http://www.codeproject.com/KB/WCF/9StepsWCF.aspx
certificate creation
证书创建
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WCfServer -sky exchange -pe
makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=WcfClient -sky exchange -pe
Certificate is present in Personal and Trusted People folder in MMC
证书存在于 MMC 的 Personal 和 Trusted People 文件夹中
Service has one function which accepts a number and returns string and works fine
服务有一个函数,它接受一个数字并返回字符串并且工作正常
This is my service web.config:
这是我的服务 web.config:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WCFServiceCertificate.Service1" behaviorConfiguration="WCFServiceCertificate.Service1Behavior">
<!-- Service Endpoints -->
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="WCFServiceCertificate.IService1">
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
-->
<!--<identity>
<dns value="localhost"/>
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WCFServiceCertificate.Service1Behavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</clientCertificate>
<serviceCertificate findValue="WcfServer"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
This is my Client Config
这是我的客户端配置
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService1" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:1387/Service1.svc" behaviorConfiguration="CustomBehavior"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService1"
contract="ServiceReference1.IService1" name="WSHttpBinding_IService1">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAA9YoGKvsMLFkeO1WjaCLReQuz1ysgAAAAAQAAALUBAAAwggGxMIIBX6ADAgECAhDDvb3bnmzhsERpNTWEBYQXMAkGBSsOAwIdBQAwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3kwHhcNMTEwMzA0MDcwNzU3WhcNMzkxMjMxMjM1OTU5WjAUMRIwEAYDVQQDEwlXY2ZTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM9e4DwCDYJ4l6myt1QadHzXoqCH2wa1aUjiab1aK/7d/1LZ00KfPJw8kKB358serjEi9SMg0UeyGtl0+byJ8PqShfv4MUTHZcPaWy99vHaYHwH7T9hVwY5RANBWyFy6nf1rXDh/cB2qm0Q/xN5xElOtheFqUoL8Ua6fcP33BAWPAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DAJBgUrDgMCHQUAA0EAKlaHJQNdC9VgPuHlVuniQJd+fHoVOU62nl374iXYdQus5KDgKz9RHWAtjhpToBB4sOXOnwTkJfcyJWBf6J14Mw==" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="CustomBehavior">
<clientCredentials>
<clientCertificate findValue="WcfClient"
x509FindType="FindBySubjectName"
storeLocation="CurrentUser"
storeName="My"/>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
and simply calling the service at client end using this
并简单地使用它在客户端调用服务
Service1Client obj = new Service1Client();
Response.Write(obj.GetData(12));
Now when I run everything works fine without an issue.
现在,当我运行时,一切正常,没有问题。
As you can service is running at development server.
服务正在开发服务器上运行。
But when i try to host the service in IIS it gives me an error that
但是当我尝试在 IIS 中托管服务时,它给了我一个错误
Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindBySubjectName', FindValue 'WCFServer'.
无法使用以下搜索条件找到 X.509 证书:StoreName 'My'、StoreLocation 'CurrentUser'、FindType 'FindBySubjectName'、FindValue 'WCFServer'。
So is there anyway I can resolve this?
那么无论如何我可以解决这个问题吗?
采纳答案by zimdanen
As x0nmentioned, Cassini will run as your current user, but IIS will run as IUSR. Import the certificate, with private key, into LocalMachine\Personal (LocalMachine\My), and change your service config from this:
正如x0n 所提到的,Cassini 将作为您当前的用户运行,但 IIS 将作为 IUSR 运行。将带有私钥的证书导入到 LocalMachine\Personal (LocalMachine\My) 中,然后更改您的服务配置:
<serviceCertificate findValue="WcfServer"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
To this:
对此:
<serviceCertificate findValue="WcfServer"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
回答by Eiver
Obviously the certificate is not found in the configured location. Make sure what user do you use to run the service. Maybe the service is running on the local system account or local service account or IIS user and you installed the cert as a different user? in MMC add a snapin to see certs in the service acount or other account that you use for the service (not current user).
显然,在配置的位置找不到证书。确保您使用什么用户来运行服务。也许该服务正在本地系统帐户或本地服务帐户或 IIS 用户上运行,并且您以不同的用户身份安装了证书?在 MMC 中添加管理单元以查看服务帐户或用于服务的其他帐户(不是当前用户)中的证书。
回答by x0n
Install the certificate in "My" for the computer store in order to have it available for all users. You have it installed in "My" for the current user. The development server runs as the current user, so that's why it works.
在计算机商店的“我的”中安装证书,以便所有用户都可以使用它。您已为当前用户将其安装在“我的”中。开发服务器以当前用户身份运行,这就是它工作的原因。
回答by goblini
You will maybe have to set up dns value, meaning name of the Certificate, in the client>endopoint >indentity (as it is described in the code below )
您可能需要在 client>endopoint >indentity 中设置 dns 值,即证书的名称(如下面的代码所述)
<client>
<endpoint address="http://localhost/FrontPMWebServiceSetup111/FpmService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"
contract="FPMServiceReference.IService" name="WSHttpBinding_IService">
<identity>
<dns value="WCfServer" />
</identity>
</endpoint>
</client>
