1 证书有两种作用,一种是SSL传输用,一种作为公钥私钥容器(非对称加密用)。
2,WCF安全分传输安全和消息安全。消息安全一种模式为Certificate。
<system.serviceModel> <bindings> <wsHttpBinding> <binding name="wsHttpBinding"> <security mode="Message"> <message clientCredentialType="Certificate"
/> </security> </binding> </wsHttpBinding> </bindings> <services> <service name="Test.Contract"> <endpoint address="Wshttp"
binding="wsHttpBinding" bindingConfiguration="wSHttpBinding"
name="wsHttpEndpoint"
contract="Test.IContract"> <identity> <!--<dns value="localhost.com"
/>--> </identity> </endpoint> <endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange"
/> </service> </services> <behaviors> <serviceBehaviors> <behavior> <!-- To avoid disclosing metadata information, set
the value below to false
and remove the metadata endpoint above before deployment --> <serviceMetadata httpGetEnabled="true"
/> <!-- To receive exception details in
faults for
debugging purposes, set
the value below to true. Set to false
before deployment to avoid disclosing exception information --> <serviceDebug includeExceptionDetailInFaults="false"
/> <serviceCredentials> <serviceCertificate storeLocation="CurrentUser"
findValue="CN=TesteCert"
/> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> |
客户端 配置
<system.serviceModel> <behaviors> <endpointBehaviors> <behavior> <clientCredentials> <serviceCertificate> <authentication certificateValidationMode="PeerTrust"
trustedStoreLocation="CurrentUser"
revocationMode="NoCheck"/> </serviceCertificate> <clientCertificate storeLocation="CurrentUser"
findValue="CN=TesTCert"/> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <bindings> <wsHttpBinding> <binding name="wsHttpEndpoint"> <security> <message clientCredentialType="Certificate"
/> </security> </binding> </wsHttpBinding> </bindings> <client> binding="wsHttpBinding"
bindingConfiguration="sHttpEndpoint" contract="Test.IContract"
name=“wsHttpEndpoint"> <identity> <certificate encodedValue="AwnvvqieXuGbI1rIMwGXUhxNdtUJlyKIgJdRI4xWlYEUU5vTXso/Xxpzu25EkVjslUj5bbY9VwhoFN5CCDINU7xukkxG0bErweXIJPW7Oo8LAQ3OduSD0r+2INkoziiLRxYoVcAgt8+9dLTfR+5QLrFrlxnp//eDiXY="
/> </identity> </endpoint> </client> </system.serviceModel> |
注意,1 :测试证书一定要是CA认证的,而能是self-sign的。 如何创建CA证书,可以参见
http://msdn.microsoft.com/en-us/library/ff648360.aspx
(Steps 7,
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr CurrentUser -ss my -sky signature -pe tempCert.cer
应该改为
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr CurrentUser -ss my -sky exchange -pe tempCert.cer
)
2:encodedValue可以通过wsdl获取,或者导出证书base604版本获取。
3:证书要复制到证书管理mmc里的”Trustd People“。
原文:http://www.cnblogs.com/zhangjiang/p/3511994.html