使用证书

时间:2015-10-02 09:53:54

标签: c# wcf ssl

我有一个托管WCF服务的Windows服务,其配置如下。

  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndpointBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service name="Carglass.Movil.Service.CarglassService" behaviorConfiguration="CarglassServiceBehavior">
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost:9002/CarglassServiceAGI" />
          </baseAddresses>
        </host>
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="Carglass.Movil.Service.ICarglassService" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="CarglassServiceBehavior">
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceMetadata httpGetEnabled="true" />
          <serviceCredentials>
            <serviceCertificate findValue="CN=MWMWCF"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

证书已安装在计算机上,网络服务用户正在以本地管理员的身份运行Windows服务。通过运行以下命令

授予权限
netsh http add urlacl url=http://+:9002/CarglassServiceAGI user="NT AUTHORITY\NETWORK SERVICE"

...并通过管理mmc.exe中的私钥,为该用户提供“完全控制”

但是每次尝试运行我的服务时都会遇到以下异常:

  

System.ArgumentException:证书'CN = MWMWCF'可能没有能够进行密钥交换的私钥,或者该进程可能没有私钥的访问权限。有关详细信息,请参阅内部异常。\ r \ n在System.ServiceModel上的System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)\ r \ n处于System.ServiceModel的System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()\ r \ n。 Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement个)\ r \ n在System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement要求)\ r \ n在System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement个)\ r \ n在System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement,Boolean requireClientCertificate,SecurityTokenR esolver和放大器; sctResolver个)\ r \ n在System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement,SecurityTokenResolver&安培; outOfBandTokenResolver个)\ r \ n在System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.SessionRenewSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement,SecurityTokenResolver&安培; outOfBandTokenResolver个)\ r \ n at System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout)\ r \ n在System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)\ r \ n在System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan)在System.ServiceModel上的System.ServiceModel.Security.SecurityProtocolFactory.Open(布尔actAsInitiator,TimeSpan超时)\ r \ n处于System.ServiceModel的System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)\ r \ n的超时)\ r \ n。 Channels.SecurityChannelListe ner 1.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.CommunicationObjectSecurityTokenAuthenticator.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityUtils.OpenCommunicationObject(ICommunicationObject obj, TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequired(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)\r\n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecuritySessionServerSettings.Open(TimeSpan timeout)\r\n at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)\r\n at System.ServiceModel.Channels.SecurityChannelListener 1.OnOpen(TimeSpan timeout)\ r \ n在System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\ r \ n在System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)\ r \ n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)\ r \ n at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)\ r \ n at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) )\ r \ n在System.ServiceModel.Channels.CommunicationObject.Open()\ r \ n,位于c:\ TeamCity \ buildAgent \ work \ MWM中的MWM.Service.WindowsService.AGI.ServiceController.OnStart(String [] args) -Refactor \ MWM.Service \ MWM.Service.WindowsService.AGI \ ServiceController.cs:第45行

如果我从配置中删除它,则工作正常:

<message clientCredentialType="Certificate"/>

1 个答案:

答案 0 :(得分:0)

这篇文章解释了如何正确地构建证书以及如何安装它们,并提供足够的权限来完成所有工作: http://returnsmart.blogspot.co.uk/2015/10/how-to-create-your-own-signed.html