使用客户端证书的WCF传输安全

Question

我一直在努力使用我的开发计算机上的客户端证书（因此我的盒子充当客户端和服务器）来完成WCF传输安全性。

http://msdn.microsoft.com/en-us/library/ff648498.aspx

http://msdn.microsoft.com/en-us/library/ff650751.aspx

我的环境是Visual Studio 2008的Windows 7上的IIS 7.5。一切似乎都没有问题，直到我向服务器发出请求时，通过打开IE浏览器并浏览我的一个.svc文件或运行我的Windows Form .NET客户端应用程序，然后拨打该服务的电话号码以下错误：

HTTP错误403.7 - 禁止

您尝试访问的页面要求浏览器具有Web服务器可识别的安全套接字层（SSL）客户端证书。

服务器配置文件：

<bindings> 
<wsHttpBinding> 
    <binding name="CertificateWithTransport" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647"> 
     <security mode="Transport"> 
     <transport clientCredentialType="Certificate"></transport> 
     </security> 
    </binding> 
    </wsHttpBinding> 
</bindings> 

客户端配置文件：

<?xml version="1.0" encoding="utf-8" ?> 
<configuration> 
    <system.serviceModel> 
    <bindings> 
     <wsHttpBinding> 
     <binding name="CertificateWithTransport" closeTimeout="00:10:00" 
      openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" 
      bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" 
      maxBufferPoolSize="524288" maxReceivedMessageSize="655360" messageEncoding="Text" 
      textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false"> 
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" 
      maxBytesPerRead="4096" maxNameTableCharCount="16384" /> 
      <reliableSession ordered="true" inactivityTimeout="00:10:00" 
      enabled="false" /> 
      <security mode="Transport"> 
      <transport clientCredentialType="Certificate" realm="" /> 
      </security> 
     </binding> 
     </wsHttpBinding> 
    </bindings> 
    <behaviors> 
     <endpointBehaviors> 
     <behavior name="clientCertificateConf"> 
      <clientCredentials> 
      <clientCertificate 
       findValue="32 52 dc 36 e1 95 fb be 4e 3c f6 a6 92 13 53 f4 b5 32 47 45" 
       storeLocation="CurrentUser" 
       storeName="My" 
       x509FindType="FindByThumbprint" /> 
      </clientCredentials> 
      <!--<clientCredentials> 
      <clientCertificate findValue="CN=localhostclient" 
       storeLocation="CurrentUser" 
       storeName="My" 
       x509FindType="FindBySubjectDistinguishedName" /> 
      </clientCredentials>--> 
      <dataContractSerializer maxItemsInObjectGraph="2147483647"/> 
     </behavior> 
     </endpointBehaviors> 
    </behaviors> 
    <client> 
     <endpoint address="https://localhost/Source.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport" 
     contract="SourceServerReference.ISourceService" name="SourceService.wsHttp" /> 
     <endpoint address="https://localhost/Community.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport" 
     contract="CommunityServerReference.ICommunityService" name="CommunityService.wsHttp" /> 
     <endpoint address="https://localhost/ActivityLeadContact.svc" 
     behaviorConfiguration="clientCertificateConf" binding="wsHttpBinding" 
     bindingConfiguration="CertificateWithTransport" contract="ActivityLeadContactServerReference.IActivityLeadContactService" 
     name="ActivityLeadContactService.wsHttp" /> 
     <endpoint address="https://localhost/User.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport" 
     contract="UserServerReference.IUserService" name="UserService.wsHttp" /> 
     <endpoint address="https://localhost/PickListItem.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport" 
     contract="PickListItemServerReference.IPickListItemService" 
     name="PickListItemService.wsHttp" /> 
     <endpoint address="https://localhost/Prospect.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport" 
     contract="ProspectServiceReference.IProspectService" name="ProspectService.wsHttp" /> 
     <endpoint address="https://localhost/ActivityLead.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport" 
     contract="ActivityLeadServiceReference.IActivityLeadService" 
     name="ActivityLeadService.wsHttp" /> 
     <endpoint address="https://localhost/ActivityReferral.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport" 
     contract="ActivityReferralServiceReference.IActivityReferralService" 
     name="ActivityReferralService.wsHttp" /> 
     <endpoint address="https://localhost/Referral.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport" 
     contract="ReferralServiceReference.IReferralService" name="ReferralService.wsHttp" /> 
     <endpoint address="https://localhost/LeadService.svc" behaviorConfiguration="clientCertificateConf" 
     binding="wsHttpBinding" bindingConfiguration="LeadService.wsHttp" 
     contract="LeadServerReference.ILeadService" name="LeadService.wsHttp" /> 
    </client> 
    </system.serviceModel> 
</configuration> 

任何帮助将不胜感激！

Answer 1

客户端证书可能不受信任。根据您提到的链接，客户端证书和服务器证书不是自签名的。

您应该检查颁发证书的CA（客户端和服务器）是否在本地计算机存储区中。同时检查CA颁发的CRL（颁发客户端和颁发服务器证书的CA）是否也放置在本地计算机存储中并且它是有效的（它具有验证期，之后您需要发布另一个CRL并将其放置在商店）。

您可以使用mmc工具来检查。

p.s .:我建议您使用xca来颁发证书和CRL。它有一个GUI，您可以设置证书和CRL的验证周期，因此很容易在100年内发布CRL。它还具有默认的CA，客户端和服务器证书模板。