Certificate Making Z

First, the security approach in WCF

When it comes to security, it involves authentication, message consistency, and confidentiality, and there are two ways to secure WCF: Transport security and message security.

The difference between transport security and message security:
Transport security provides point-to-point security: For example, a provides services, B and C are directly connected to a, when a and B and a and C direct transmission is safe, if B is connected to a by C, then A and B are directly safe,B and C is unsafe.
Message security: The security mechanism is applied to the message level above, can provide end-to-end security, regardless of the message routing path how complex, but also to ensure the safe transmission of messages.
Transport security we generally use in the local area network, the message security mainly applies in the complex Internet environment, the transmission security has the message security incomparable superiority is the high performance.

Ii. How to make a certificate

Since is the transmission security will inevitably use SSL,HTTPS, will involve the digital certificate, the digital certificate concept and the principle we do not introduce, Baidu a bit OK, We just need to know that it is for our server side and client to provide authentication and can provide us with encryption of the message can be. Let's start by demonstrating the process of making a certificate:

Windows Server systems have Certificate Services, and we can create certificates by adding Certificate Services, which can be referenced in this article .

The demo environment behind us is under the Win7 +vs2010 environment, so we can only create the certificate by MakeCert command, and register the certificate with the port through the Netsh program.

1, MakeCert command can be prompted by Visual Studio command "MakeCert" Run, the main parameters of the command description: (There are many parameters, not listed, only listed we use)

-N: The subject name of the certificate, for example,-n "cn= computer name"
-PE: The generated private key token can be exported;
-SR: The location of the digital certificate (CurrentUser represents the current account; LocalMachine represents natively)
-SS: The store of the certificate;-sky: Specifies the type of key (signature: Signing key; Exchange: Exchange key)
-r: Create a self-signed certificate

Note:-n "cn= computer name" defaults to the computer name, the actual project can be the name of the site, such as: wwww.xxx.com, of course, you can also use other names, but in the WCF call there will be a trust relationship exception prompt, the demo we will introduce

2. Netsh.exe is located in the C:\Windows\System32 directory:

To view the bindings for SSL certificates: netsh> http Show Sslcert
Bind the certificate to the port: netsh>http Add Sslcert ipport=0.0.0.0: Port number certhash= The thumbprint of the certificate appid={a valid GUID}
Remove a port-bound certificate: netsh>http Delete sslcert ipport=0.0.0.0: Port

Third, make a certificate and bind to the IP address port:

1, Production Certificate:

We start the Visual Studio Command Prompt tool, and then enter: MAKECERT-SR localmachine-ss my-n "cn=lx-pc"-sky exchange-pe-r, enter, prompt success!

How do I view this certificate? Where did you put the certificate?

We can open the console by running the MMC command, choose Add or Remove Snap-in from the File menu, and select "certificate" on the left of the dialog box that pops up:

and click "Add" Pop Up "Certificate Management" dialog box, we select "Computer Account", and click "Next", select "Local Computer", click Finish. Of course, you can also continue to add a "my user account", such as:

After clicking "OK", we can see the "LX-PC" certificate we created in the "certificate (local Computer)"-"Personal"-"certificate" node;

The next thing to do is to add the certificate to the trusted root certification authorities and trusted people nodes, and why. To give a simple example, the identity card is our certificate, who is a trusted authority, of course, the local XXX public security unit, if not the authority issued by the certificate, then the certificate must be problematic.

We "right-click" The certificate we created, select "All Tasks"--"export", open the "Certificate Export" dialog box, select "Next", select "Yes, export key"

and click "Next", by default Select "Personal Information exchange",

Continue to click "Next", enter the password "123456",

After clicking "Next", select "Browse", the file is named "Lxpc.pfx" and saved to the desktop.

After that, we right-click the Trusted Root Certification Authorities node and the Trusted People node, and select All Tasks-Import. Select the lxpc.pfx file that we just exported to the desktop and enter the password 123456, and then import it into two nodes respectively.

2. Bind the produced certificate to the port using the Netsh command:

At this point we need to look at the thumbprint of the certificate: double-click our certificate, select the Details tab

Record the thumbprint of the certificate as: 63c06b2292c76391fe075becb01e4a1f350a5a87

Next, we run the Netsh command through Windows console cmd, and enter:

HTTP add sslcert ipport=0.0.0.0:9000 certhash=63c06b2292c76391fe075becb01e4a1f350a5a87 appid={ bfc5621f-ef33-1234-ad7e-51eddaec5234}

The results show:

We can use netsh> HTTP show Sslcert to see if our certificate is bound to Port 9000:

Visible from the diagram: We have bound the certificate we just made to port 9000.

Certificate Making Z