How WCF uses X509 certificates (Installation and error) (ii)

The certificate format exported from the current user to the local computer is. pfx and you are exporting the private key.

How to create a certificate:

MAKECERT.EXE-SR localmachine-ss my-a sha1-n Cn=jiangserver-sky exchange-pe (service-side certificate)

MAKECERT.EXE-SR localmachine-ss my-a sha1-n Cn=jiangclient-sky exchange-pe (client certificate)

Introduction to various parameters

Properties parsing

-sr

Specifies the registry location in the certificate store.
CurrentUser
Specifies that the registry storage location is HKEY_CURRENT_USER.
LocalMachine
Specifies that the registry storage location is HKEY_LOCAL_MACHINE.

-ss

Specifies the location of the certificate store.

-A

Specify the relevant algorithm, you can choose the MD5 algorithm or the SHA1 algorithm

-N

Specifies the name of the certificate. The name follows the X.500 naming standard. For simple examples such as "cn=myname" format, if the/n switch is not specified, the certificate default name is "Joe's software Emporium".

-sky

The certificate key type. Can be set to Exchange or signature.

-pe

Certificates can be exported

Detailed description: See MSDN.

After the certificate is created successfully! —

The configuration of the server config is very important, as follows:

<?xml version= "1.0" encoding= "Utf-8"?>
<configuration>

<system.web>
<compilation debug= "True" targetframework= "4.0"/>
</system.web>
<system.serviceModel>
<services>
<service name= "Wcfservice.service1" behaviorconfiguration= "Custombehavior" >

<endpoint
Binding= "mexHttpBinding"
contract= "IMetadataExchange"
address= "Mex"/>
<endpoint address= "" binding= "Wshttpbinding" contract= "Wcfservice.iservice1" bindingconfiguration= " CustomBinding "/>
              
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name= "Custombehavior" >
<!--to avoid leaking metadata information, set the following value to False before deployment and delete the above metadata endpoint--
<servicemetadata httpgetenabled= "true"/>
<!--to receive the fault exception details for debugging, set the following value to True. Set to false before deployment to avoid leaking exception information--
<servicedebug includeexceptiondetailinfaults= "false"/>

<serviceCredentials>
<!--server with certificate detailed configuration findvalue: Create certificate name StoreName: Where is the certificate store detailed storelocation: Certificate store is located in the current native user x509findtype:x509 Find certificate topic name- -
<servicecertificate findvalue= "Jiangserver" storename= "My" storelocation= "LocalMachine" x509findtype= " Findbysubjectname "/>
<!--Client Authentication Method--
<clientCertificate>
<authentication certificatevalidationmode= "None"/>
</clientCertificate>
</serviceCredentials>
            
</behavior>
</serviceBehaviors>
</behaviors>
<servicehostingenvironment multiplesitebindingsenabled= "true"/>

<bindings>
<wsHttpBinding>
<binding name= "CustomBinding" >
<!--verification Method--
<security mode= "Message" >
<message clientcredentialtype= "Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
      
</system.serviceModel>
<system.webServer>
<modules runallmanagedmodulesforallrequests= "true"/>
</system.webServer>
  
</configuration>

In this way, the basic simple X509 authentication method is configured and published to IIS. Run as follows:

Error after-----------------------------------------------------------------------------------------------------------operation--------- ------------------

Server error in "/" application. --------------------------------------------------------------------------------key set does not exist. Description: An unhandled exception occurred during the execution of the current WEB request. Check the stack trace information For more information about the error and the source of the error in your code. Exception Details: System.Security.Cryptography.CryptographicException: Key set does not exist. SOURCE Error: An unhandled exception was generated during the execution of the current WEB request.  You can use the following exception stack trace information to determine information about the cause of the exception and where it occurred. Stack trace: [cryptographicexception: Key set does not exist.   ] System.Security.Cryptography.Utils.CreateProvHandle (CspParameters parameters, Boolean randomkeycontainer) +450 System.Security.Cryptography.Utils.GetKeyPairHelper (Cspalgorithmtype keyType, CspParameters parameters, Boolean Randomkeycontainer, Int32 dwkeysize, safeprovhandle& safeprovhandle, safekeyhandle& SafeKeyHandle) +158 System .   Security.Cryptography.RSACryptoServiceProvider.GetKeyPair (+231)   System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey (+537) System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange (X509Certificate2 certificate) +78[ ArgumentException: Possible certificate "Cn=gaserver1" does not have the ability to perform key exchange of privateThe key, or the process may not have permission to access the private key. For more information, see inner exception.  ]

Parse error prompt, should be no permission ah, we open "MMC" hit My My--Certificate of Jiangserver set permissions.

Add Everyone-read

Run WCF again, success!

Now the service side has deployment! Create the client again, referencing the WCF service. Once the WCF service is referenced successfully, I want to deployment the "app. Config" file again to add the validation information.

<?xml version= "1.0" encoding= "Utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name= "abc" closetimeout= "00:01:00"
opentimeout= "00:01:00" receivetimeout= "00:10:00" sendtimeout= "00:01:00"
Bypassproxyonlocal= "false" transactionflow= "false" hostnamecomparisonmode= "StrongWildcard"
Maxbufferpoolsize= "524288" maxreceivedmessagesize= "65536"
messageencoding= "Text" textencoding= "Utf-8" usedefaultwebproxy= "true"
Allowcookies= "false" >
<readerquotas maxdepth= "+" maxstringcontentlength= "8192" maxarraylength= "16384"
Maxbytesperread= "4096" maxnametablecharcount= "16384"/>
<reliablesession ordered= "true" inactivitytimeout= "00:10:00"
Enabled= "false"/>
<security mode= "Message" >
<message clientcredentialtype= "Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address= "Http://192.168.1.3/Service1.svc" binding= "Wshttpbinding"
bindingconfiguration= "abc" contract= "Servicereference1.iservice1"
Name= "Wshttpbinding_iservice1" behaviorconfiguration= "Custombehavior" >
<identity>
<!--a successful reference, automatically generated code--
<certificate encodedvalue= "awaaaaeaaaauaaaaiaun/+3yklx/nz/ t50halxjci4igaaaaaqaaalcbaaawgggzmiibyaadagecahbesg++ Zoulskowscx8gti4makgbssoawidbqawfjeumbiga1ueaxmlum9vdcbbz2vuy3kwhhcnmtexmjmwmdi1mje1whcnmzkxmjmxmjm1otu5wjawmrqwegydvqqde wtkawfuz1nlcnzlcjcbnzanbgkqhkig9w0baqefaaobjqawgykcgyea8hgfoesdaja6cfuckxsjvx+g50jzbcykcqt2uzylhmtzn0/ jrt3ahwcjn4wo7tu5xnhzuxhlc/vxk8apjt6y7fsv9a02mbx5gshvturcpjjzn89vmekaowfv1n7imsbufbzaqm71+ 9k3kmaws77ymybbb6avxyxfyyfuprc/ 3xscaweaaanlmekwrwydvr0bbeawpoaqeuqjlqydhu8ajweh3bzky6eymbyxfdasbgnvbamtc1jvb3qgqwdlbmn5ghagn2waqgbkihhpunsqxdx0makgbssoa Widbqadqqbvvrkt8schxe3kaxwmx8x5pplyazhf+ibhjkg8p3cjldb9h12bmnktbo1on7gxrnjb0droxyb2vqjbolq82nzt "/>
</identity>
</endpoint>
</client>
<!--Add the following configuration-
<behaviors>
<endpointBehaviors>
<behavior name= "Custombehavior" >
<clientCredentials>
<!--client certificate--
<clientcertificate findvalue= "jiangclient" storename= "My" storelocation= "LocalMachine" x509findtype= " Findbysubjectname "/>
<serviceCertificate>
<authentication certificatevalidationmode= "None"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

 

Start the client, the call succeeds!

Note: If you call WCF fails, several error messages

1>: The following search criteria could not be used to find the certificate: StoreName "My", Storelocation "LocalMachine", Findtype "Findbysubjectname", Findvalue " JiangClient1 ".

workaround : Import the certificate (JIANGCLIENT1) or create this certificate, note the reported error message where the certificate is stored

2 >: Client certificate not provided. Please specify a client certificate in the Clientcredential.

Workaround: Configure the certificate on the client side because the server uses certificate authentication.

Call Success again! The above is the problem I was having when setting up the X509 certificate.

Use HttpAnalyzerStdV5 again to see if it's encrypted. As below, it's encrypted.

How WCF uses X509 certificates (Installation and error) (ii)