1 证书有两种作用,一种是SSL传输用,一种作为公钥私钥容器(非对称加密用)。
2,WCF安全分传输安全和消息安全。消息安全一种模式为Certificate。
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="Test.Contract">
<endpoint address="Wshttp" binding="wsHttpBinding"
bindingConfiguration="wSHttpBinding" name="wsHttpEndpoint" contract="Test.IContract">
<identity>
<!--<dns value="localhost.com" />-->
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate storeLocation="CurrentUser" findValue="CN=TesteCert" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
客户端 配置
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior>
<clientCredentials>
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" revocationMode="NoCheck"/>
</serviceCertificate>
<clientCertificate storeLocation="CurrentUser" findValue="CN=TesTCert"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/test.svc"
binding="wsHttpBinding" bindingConfiguration="sHttpEndpoint"
contract="Test.IContract" name=“wsHttpEndpoint">
<identity>
<certificate encodedValue="AwnvvqieXuGbI1rIMwGXUhxNdtUJlyKIgJdRI4xWlYEUU5vTXso/Xxpzu25EkVjslUj5bbY9VwhoFN5CCDINU7xukkxG0bErweXIJPW7Oo8LAQ3OduSD0r+2INkoziiLRxYoVcAgt8+9dLTfR+5QLrFrlxnp//eDiXY=" />
</identity>
</endpoint>
</client>
</system.serviceModel>
注意,1 :测试证书一定要是CA认证的,而能是self-sign的。 如何创建CA证书,可以参见
http://msdn.microsoft.com/en-us/library/ff648360.aspx
(Steps 7,
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr CurrentUser -ss my -sky signature -pe tempCert.cer
应该改为
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr CurrentUser -ss my -sky exchange -pe tempCert.cer
)
2:encodedValue可以通过wsdl获取,或者导出证书base604版本获取。
3:证书要复制到证书管理mmc里的”Trustd People“。