c# - 使用客户端证书的 WCF 传输安全

Question

我一直在处理以下 URL，以尝试在我的开发机器上使用客户端证书来实现 WCF 传输安全(因此我的盒子充当客户端和服务器)。

http://msdn.microsoft.com/en-us/library/ff648498.aspx

http://msdn.microsoft.com/en-us/library/ff650751.aspx

我的环境是 Windows 7 上的 Visual Studio 2008 和 IIS 7.5。一切似乎都很好，直到我通过打开 IE 并浏览到我的一个 .svc 文件或运行我的 Windows Form .NET 客户端应用程序并调用服务来向服务器发出请求，此时我得到以下错误:

HTTP 错误 403.7 - 禁止访问

您尝试访问的页面要求您的浏览器具有 Web 服务器可识别的安全套接字层 (SSL) 客户端证书。

服务器配置文件:

<bindings>
<wsHttpBinding>
    <binding name="CertificateWithTransport" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"></transport>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

客户端配置文件:

    <?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="CertificateWithTransport" closeTimeout="00:10:00"
          openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
          bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
          maxBufferPoolSize="524288" maxReceivedMessageSize="655360" messageEncoding="Text"
          textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="Transport">
            <transport clientCredentialType="Certificate" realm="" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="clientCertificateConf">
          <clientCredentials>
            <clientCertificate
              findValue="32 52 dc 36 e1 95 fb be 4e 3c f6 a6 92 13 53 f4 b5 32 47 45"
              storeLocation="CurrentUser"
              storeName="My"
              x509FindType="FindByThumbprint" />
            </clientCredentials>
          <!--<clientCredentials>
            <clientCertificate findValue="CN=localhostclient"
              storeLocation="CurrentUser"
              storeName="My"
              x509FindType="FindBySubjectDistinguishedName" />
          </clientCredentials>-->
          <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
        </behavior>
      </endpointBehaviors>
    </behaviors>  
    <client>
      <endpoint address="https://localhost/Source.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="SourceServerReference.ISourceService" name="SourceService.wsHttp" />
      <endpoint address="https://localhost/Community.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="CommunityServerReference.ICommunityService" name="CommunityService.wsHttp" />
      <endpoint address="https://localhost/ActivityLeadContact.svc"
        behaviorConfiguration="clientCertificateConf" binding="wsHttpBinding"
        bindingConfiguration="CertificateWithTransport" contract="ActivityLeadContactServerReference.IActivityLeadContactService"
        name="ActivityLeadContactService.wsHttp" />
      <endpoint address="https://localhost/User.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="UserServerReference.IUserService" name="UserService.wsHttp" />
      <endpoint address="https://localhost/PickListItem.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="PickListItemServerReference.IPickListItemService"
        name="PickListItemService.wsHttp" />
      <endpoint address="https://localhost/Prospect.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="ProspectServiceReference.IProspectService" name="ProspectService.wsHttp" />
      <endpoint address="https://localhost/ActivityLead.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="ActivityLeadServiceReference.IActivityLeadService"
        name="ActivityLeadService.wsHttp" />
      <endpoint address="https://localhost/ActivityReferral.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="ActivityReferralServiceReference.IActivityReferralService"
        name="ActivityReferralService.wsHttp" />
      <endpoint address="https://localhost/Referral.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="ReferralServiceReference.IReferralService" name="ReferralService.wsHttp" />
      <endpoint address="https://localhost/LeadService.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="LeadService.wsHttp"
        contract="LeadServerReference.ILeadService" name="LeadService.wsHttp" />
    </client>
  </system.serviceModel>
</configuration>

如有任何帮助，我们将不胜感激!

Answer 1

客户端证书可能不受信任。根据您提到的链接，客户端证书和服务器证书不是自签名的。

您应该检查颁发证书(客户端和服务器)的 CA 是否在本地计算机存储中。还要检查由 CA(颁发客户端和颁发服务器证书的 CA)颁发的 CRL 是否也放置在本地计算机存储中并且它是否有效(它具有有效期，之后您需要颁发另一个 CRL 并将其放置在商店里)。

您可以使用 mmc 工具来检查。

附注:我建议您使用 xca颁发证书和 CRL。它有一个 GUI，您可以为证书和 CRL 设置有效期，因此很容易颁发 100 年的 CRL。默认情况下，它还具有 CA、客户端和服务器证书的模板。