第一步 创建受信任的根证书颁发机构
makecert.exe -n "CN=Development CA" -r -sv DevelopmentCA.pvk DevelopmentCA.cer
并将证书导入到证书管理,特别要注意的是必须是“证书-本地计算机”,而非当前用户
第二步 利用刚才创建的根证书来创建证书的pfx格式 ,第一条命令创建证书,第二条命令将转换为pfx格式并包含私钥,“123456”为私钥密码
makecert.exe -pe -n "CN=localhost" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic DevelopmentCA.cer -iv developmentCA.pvk -sv SSLCert.pvk SSLCert.cer
pvk2pfx -pvk SSLCert.pvk -spc SSLCert.cer -pfx SSLCert.pfx -po 123456
导入证书到本地计算机个人证书
第三步 生成客户端证书,执行命令之后客户端证书自动会添加到“证书-当前用户”个人证书里
makecert.exe -pe -ss My -sr CurrentUser -a sha1 -sky exchange -n "CN=ClientCertificatesTest"
-eku 1.3.6.1.5.5.7.3.2 -sk SignedByCA -ic DevelopmentCA.cer -iv DevelopmentCA.pvk
第四步 证书生成完毕后配置IIS,在网站中添加绑定选择https类型,SSL证书选择我们刚才创建的
第五步 更改SSL设置,我这里是设置了必须要求SSL,可根据自己的实际情况来选择
第六步 在程序中添加HTTPS过滤器,添加此特性的接口会先判断请求是否来自HTTPS
publicclassRequireHttpsAttribute : AuthorizationFilterAttribute
{
publicoverridevoid OnAuthorization(HttpActionContext actionContext)
{
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = newHttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
}
else
{
base.OnAuthorization(actionContext);
}
}
{
publicoverridevoid OnAuthorization(HttpActionContext actionContext)
{
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = newHttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required"
};
}
else
{
base.OnAuthorization(actionContext);
}
}
}
最后我们测试下SSL是否生效
publicstaticvoid Test()
{
var secure = newSecureString();
foreach (char s in"password") //password为导出的证书安全密码
{
secure.AppendChar(s);
}
var handler = newWebRequestHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.UseProxy = false;
string path = @"C: est.pfx";
var certificate = newX509Certificate2(path, secure);
handler.ClientCertificates.Add(certificate);
ServicePointManager
.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
using (var client = newHttpClient(handler))
using (var content = newMultipartFormDataContent())
{
var arg = 1;
var url = string.Format(@"https://localhost:4438/api/test?arg={0}",arg);
var result = client.PostAsync(url, content).Result.Content.ReadAsStringAsync();
Console.WriteLine(string.Format("[{0}]", result.Result));
}
{
var secure = newSecureString();
foreach (char s in"password") //password为导出的证书安全密码
{
secure.AppendChar(s);
}
var handler = newWebRequestHandler();
handler.ClientCertificateOptions = ClientCertificateOption.Manual;
handler.UseProxy = false;
string path = @"C: est.pfx";
var certificate = newX509Certificate2(path, secure);
handler.ClientCertificates.Add(certificate);
ServicePointManager
.ServerCertificateValidationCallback +=
(sender, cert, chain, sslPolicyErrors) => true;
using (var client = newHttpClient(handler))
using (var content = newMultipartFormDataContent())
{
var arg = 1;
var url = string.Format(@"https://localhost:4438/api/test?arg={0}",arg);
var result = client.PostAsync(url, content).Result.Content.ReadAsStringAsync();
Console.WriteLine(string.Format("[{0}]", result.Result));
}
}