经过一周(!)的搜索,我希望有人能够告诉我我做错了什么。
我不断收到以下错误消息:
The X.509 certificate CN=localhost chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode.
从头开始。这是我的代码/配置服务器端:
ServiceHost svcHost = new ServiceHost(typeof(TestService));
// Enable metadata publishing.
ServiceMetadataBehavior smb = svcHost.Description.Behaviors.Find<ServiceMetadataBehavior>();
if (smb == null)
smb = new ServiceMetadataBehavior();
smb.HttpGetEnabled = true;
smb.MetadataExporter.PolicyVersion = PolicyVersion.Policy15;
svcHost.Description.Behaviors.Add(smb);
ServiceDebugBehavior sdb = svcHost.Description.Behaviors.Find<ServiceDebugBehavior>();
if (sdb == null) { sdb = new ServiceDebugBehavior(); svcHost.Description.Behaviors.Add(sdb); }
sdb.IncludeExceptionDetailInFaults = true;
// Meta data servicepoint
svcHost.AddServiceEndpoint(ServiceMetadataBehavior.MexContractName, MetadataExchangeBindings.CreateMexHttpBinding(), "mex");
// Credentials
CustomUserNamePasswordValidator clientAuthenticationValidator = new TCustomUserNamePasswordValidator();
svcHost.Credentials.UserNameAuthentication.UserNamePasswordValidationMode = UserNamePasswordValidationMode.Custom;
svcHost.Credentials.UserNameAuthentication.CustomUserNamePasswordValidator = (UserNamePasswordValidator) clientAuthenticationValidator;
// Certificate
svcHost.Credentials.ServiceCertificate.Certificate = new X509Certificate2("TestServer.pfx", "password");
svcHost.Credentials.IssuedTokenAuthentication.CertificateValidationMode = X509CertificateValidationMode.ChainTrust;
svcHost.Credentials.IssuedTokenAuthentication.RevocationMode = X509RevocationMode.None;
svcHost.Credentials.IssuedTokenAuthentication.TrustedStoreLocation = StoreLocation.LocalMachine;
// Binding
NetTcpBinding netTcpBinding = new NetTcpBinding();
netTcpBinding.Security.Mode = SecurityMode.Message;
netTcpBinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign;
netTcpBinding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
netTcpBinding.ReliableSession.Enabled = true;
svcHost.AddServiceEndpoint(typeof(ITestService), netTcpBinding, "");
svcHost.Open();
使用以下 app.config 文件:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service name="TestService">
<host>
<baseAddresses>
<add baseAddress="http://localhost:8080/" />
<add baseAddress="net.tcp://localhost:9595" />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
</configuration>
我用来获取证书的以下命令:
根 CA:
makecert.exe -n "CN=TestCA" -r -pe -a sha512 -len 4096 -cy authority -sr LocalMachine -ss Root -sv TestCA.pvk TestCA.cer pvk2pfx.exe -pvk TestCA.pvk -spc TestCA.cer -pfx TestCA.pfx -po aaaaa
服务:
makecert.exe -n "CN=localhost" -iv TestCA.pvk -ic TestCA.cer -pe -a sha512 -len 4096 -b 12/14/2014 -e 01/01/2020 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -sv TestServer.pvk TestServer.cer pvk2pfx.exe -pvk TestServer.pvk -spc TestServer.cer -pfx TestServer.pfx -po aaaaa
我在受信任的根 CA 中导入 TestCA.cer,如代码所示,pfx 文件用作服务证书。
据我了解,我不必为客户端提供证书,因为它使用用户名凭据来验证自身,其中 servicecertificate 用于 ssl。 如前所述,一旦我启动客户端并调用函数,我就会收到上述异常。
我已经尝试使用 netsh 将 TestServer 证书附加到 9595 端口。我在同一台计算机上运行客户端和服务。
我真心希望有人能帮忙。
最佳答案
这些问题很可能是由客户端不“信任”的自签名证书引起的。为了适应这种情况,您有以下几种选择:
- 将自签名证书导入到客户端计算机的 “值得信赖的人”商店。
- 遵循 MSDN 指南 Create and Install Temporary Certificates in WCF for Message Security During Development
- 更新客户端软件以绕过定义的证书验证检查 here .
关于wcf - 信任链错误 NetTcpBinding 与消息(用户名)安全性,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/27486838/