WCF self-hosted implementation HTTPS binding

One, WCF configuration

1 Address

Both the server-side publishing address and the client access address are configured as HTTPS-initiated security addresses. Refer to below.

<add key= "Srvurl" value= "Https://127.0.0.1:8001/Service"/>

2 bingding

In order to adapt to the WCF self-hosted mode, the Wshttpbinding should be used as the binding mode and the transport security mode, which supports the information integrity, confidentiality, service-side authentication guaranteed by the server SSL certificate (does not support client authentication, If you require authentication to invoke the identity of the WCF Service client, configure additional security mode.

Binding Instantiation Code:

Ws2007httpbinding Wshttpbinding =Newws2007httpbinding (); Wshttpbinding. MaxReceivedMessageSize=6553500; Wshttpbinding. Sendtimeout=NewTimeSpan (0,5,1); Wshttpbinding. ReceiveTimeout=NewTimeSpan (0,5,1);//Set Safe Mode to transportWshttpbinding. Security.mode =Securitymode.transport;//do not verify client identityWshttpbinding. Security.Transport.ClientCredentialType = Httpclientcredentialtype.none;

3 contract

There is no difference between the contract and the base basichttpbingding, not the other configuration.

Second, server certificates

1 use

The first time the server is corresponding to the HTTPS request to the encryption algorithm and the binding of the digital certificate sent to the client, so the use of HTTPS to publish a WCF service must provide a digital certificate, digital certificate is generally issued by the official CA institutions, we can use the tool to test the production.

2 generation

The test with a digital certificate can be generated using the Makecert.exe provided by Microsoft, the command is as follows, where the parameter-n X509name represents the certificate name, the parameter-pe means the private key can be exported, the parameter-SR location indicates that the certificate store is native, parameter-ss Store represents the certificate store, and the parameter-sky KeyType represents the principal key type.

" Cn=sswms_wdz " -PE-SR localmachine-ss My-sky Exchange

3 Trust Certificate

After the certificate is generated, to move it to the trusted people zone, use the CertMgr.exe operation with the following command.

PS c:\windows\system32> C:\Cert\certmgr.exe-add-r localmachine-s my-c-n sswms_wdz-r localmachine-s trustedpeople

4 Binding port

HTTPS is also required to bind the generated certificates to the publishing port before it is released so that the system can correctly locate the certificate for encryption when it is transferred, and the binding certificate uses the system's own program Netsh.exe, the command is as follows, where CertHash is the certificate thumbprint, AppID is the system GUID.

netsh http add sslcert ipport=0.0. 0.0:8001 certhash= 87c6227b200430b0d882d96c9e764984a364d7c0 appid={ A984BD18-A513-41FC-98D5-282078F60E1E}

Unbind can use commands.

HTTP Delete sslcert ipport=0.0. 0.0:8001

Third, the main program

Because our test certificate is issued by a non-CA official authority, the certificate is not in the chain of trust, and the client will actively deny the call without trusting the certificate. We need to register the ServicePointManager static Servercertificatevalidationcallback callback Custom certificate authentication method in the client program, let the validation result return value is true, force the client to trust the test certificate, Add the following code to the client program's storage.

Newtrue);

Iv. Meta-data

HTTPS publishing has the same metadata access as HTTP, but the browser prompts for an incorrect certificate.

V. Exceptions that may be encountered

1 The certificate was not successfully bound to the service publishing address

2 client does not trust the server-side certificate

Vi. Tools and Code downloads

1 Certificate Making Tools

MakeCert.exe and certmrg.exe:https://pan.baidu.com/s/1pm54lu7 Password: Eaba

WCF self-hosted implementation HTTPS binding