Question

我一直在使用以下网址尝试使用我的开发计算机上的客户端证书来完成WCF传输安全性（因此我的文件夹用作客户端和服务器）。

http://msdn.microsoft.com/en-us/library/ff648498.aspx

http://msdn.microsoft.com/en-us/library/ff650751.aspx

我的环境是使用IIS 7.5的Windows 7上的Visual Studio 2008。一切似乎都很好，直到我通过打开IE浏览器并浏览到我的.svc文件或运行我的Windows窗体.NET客户端应用程序并调用服务来获取服务器的时间点。以下错误：

HTTP错误403.7 - 禁止

您尝试访问的页面要求您的浏览器具有Web服务器可识别的安全套接字层（SSL）客户端证书。

服务器配置文件：

<bindings>
<wsHttpBinding>
    <binding name="CertificateWithTransport" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"></transport>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

客户端配置文件：

    <?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="CertificateWithTransport" closeTimeout="00:10:00"
          openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
          bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
          maxBufferPoolSize="524288" maxReceivedMessageSize="655360" messageEncoding="Text"
          textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
            enabled="false" />
          <security mode="Transport">
            <transport clientCredentialType="Certificate" realm="" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="clientCertificateConf">
          <clientCredentials>
            <clientCertificate
              findValue="32 52 dc 36 e1 95 fb be 4e 3c f6 a6 92 13 53 f4 b5 32 47 45"
              storeLocation="CurrentUser"
              storeName="My"
              x509FindType="FindByThumbprint" />
            </clientCredentials>
          <!--<clientCredentials>
            <clientCertificate findValue="CN=localhostclient"
              storeLocation="CurrentUser"
              storeName="My"
              x509FindType="FindBySubjectDistinguishedName" />
          </clientCredentials>-->
          <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
        </behavior>
      </endpointBehaviors>
    </behaviors>  
    <client>
      <endpoint address="https://localhost/Source.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="SourceServerReference.ISourceService" name="SourceService.wsHttp" />
      <endpoint address="https://localhost/Community.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="CommunityServerReference.ICommunityService" name="CommunityService.wsHttp" />
      <endpoint address="https://localhost/ActivityLeadContact.svc"
        behaviorConfiguration="clientCertificateConf" binding="wsHttpBinding"
        bindingConfiguration="CertificateWithTransport" contract="ActivityLeadContactServerReference.IActivityLeadContactService"
        name="ActivityLeadContactService.wsHttp" />
      <endpoint address="https://localhost/User.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="UserServerReference.IUserService" name="UserService.wsHttp" />
      <endpoint address="https://localhost/PickListItem.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="PickListItemServerReference.IPickListItemService"
        name="PickListItemService.wsHttp" />
      <endpoint address="https://localhost/Prospect.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="ProspectServiceReference.IProspectService" name="ProspectService.wsHttp" />
      <endpoint address="https://localhost/ActivityLead.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="ActivityLeadServiceReference.IActivityLeadService"
        name="ActivityLeadService.wsHttp" />
      <endpoint address="https://localhost/ActivityReferral.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="ActivityReferralServiceReference.IActivityReferralService"
        name="ActivityReferralService.wsHttp" />
      <endpoint address="https://localhost/Referral.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
        contract="ReferralServiceReference.IReferralService" name="ReferralService.wsHttp" />
      <endpoint address="https://localhost/LeadService.svc" behaviorConfiguration="clientCertificateConf"
        binding="wsHttpBinding" bindingConfiguration="LeadService.wsHttp"
        contract="LeadServerReference.ILeadService" name="LeadService.wsHttp" />
    </client>
  </system.serviceModel>
</configuration>

非常感谢任何帮助！

Answer 1

客户端证书可能不受信任。根据您提到的链接，客户端证书和服务器证书不是自签名的。

您应该检查颁发证书的CA（客户端和服务器）是否在本地计算机存储中。还要检查CA颁发的CRL（颁发的颁发服务器证书的客户端和CA）是否也放在本地计算机存储中并且它是否有效（它有一个验证期，之后您需要发出另一个CRL并放置它在商店）。

您可以使用mmc工具检查。

p.s。：我建议您使用xca颁发证书和CRL。它有一个GUI，您可以设置证书和CRL的验证周期，因此很容易发布CRL 100年。默认情况下，它还具有CA，客户端和服务器证书的模板。

使用客户端证书的WCF传输安全性

1 个答案: