X509 Certificate for WCF Authentication

Source: Internet
Author: User
Tags pfx file

X.509 digital certificate is the most convenient authentication method in the Internet environment.

1. Create a digital certificate

X509 certificates can be used by the Certificate Authority (such as Verisign inc.exe to buy or use the makecert.exe tool to create temporary certificates used during development)
. Create a certificate. Make a certificate: makecert-Sr localmachine-SS my-N Cn = ejiyuan-sky exchange-pe-R.
Reference: http://msdn.microsoft.com/zh-cn/library/aa702761.aspx
. Export the Certificate file, pfx file with the key. Use MMC
. Import the certificate to the trusted person.
. Import the certificate to a trusted organization, and the certificate will be trusted.

2. Create a serviceCode

[Servicecontract]
Public   Interface Icalculator
{
[Operationcontract]
Double Add ( Double X, Double Y );
}

Public ClassCalculatorservice: icalculator
{

Public   Double Add ( Double X, Double Y)
{
Return X + Y;
}
}
Class Program
{
Static   Void Main ( String [] ARGs)
{
Servicehost _ servicehost =   New Servicehost ( Typeof (Calculatorservice ));
_ Servicehost. Opened + = (S, q) =>
{
Console. writeline ( " Service started " );
Console. Read ();
};
_ Servicehost. open ();
}
}

 

 

3. Set Security Authentication Mode

 

< Bindings >
< Nettcpbinding >
< Binding Name = "Nonsessionbinding" >
<! -- Currently bound Security Authentication Mode -->
< Security Mode = "Message"   >
<! -- Defines the type of message-level security requirements, which is a certificate -->
< Message Clientcredentialtype = "Certificate"   />
</ Security >
</ Binding >
</ Nettcpbinding >
</ Bindings >

 

4. Set service creden

< Behaviors >
< Servicebehaviors >
< Behavior Name = "Calculatorservicebehavior"   >
< Servicecredentials >
<! -- Specifies an X.509 Certificate for the service to prove its identity to clients using message security mode. -->
< Servicecertificate Findvalue = "Cn = ejiyuan" X509findtype = "Findbysubjectdistinguishedname" Storelocation = "Localmachine" Storename = "My" />
< Clientcertificate >
<! -- Customize the authentication method for the client -->
< Authentication Certificatevalidationmode = "Custom" Customcertificatevalidatortype = "WCF. Extensions. Security. myx509validator, WCF. Extensions. Security"   />
</ Clientcertificate >
</ Servicecredentials >
</ Behavior >
</ Servicebehaviors >
</ Behaviors >

 

 

5. Custom certificate verification
The fingerprint code of the certificate is used for authentication. The combination of the Digital Certificate Name and serial number of each client is a unique fingerprint code. You must inherit from 'System. identitymodel. selectors. x509certificatevalidator ', and then rewrite the 'validate' method to implement your X509 authentication logic.
The following fingerprint code can be obtained through the certificate trust information:

Public   Class Myx509validator: system. identitymodel. selectors. x509certificatevalidator
{
 
Public   Override   Void Validate (system. Security. cryptography. x509certificates. x509certificate2 Certificate)
{
If (Certificate =   Null )
{
Throw   New Argumentnullexception ( " The X509 Certificate is empty! " );
}
If (Certificate. thumbprint ! =   " 82fb736f2464c481859f852ecb10f6f9425c265f " . Toupper ())
{
Throw   New System. identitymodel. tokens. securitytokenexception ( " Certificate Validation Error! " );
}
}
}

 

6. client code

Class Program
{
Static   Void Main ( String [] ARGs)
{
Calculatorclient Client =   New Calculatorclient ();
// Query the certificates installed on the client
Client. clientcredentials. clientcertificate. setcertificate (storelocation. currentuser, storename. My, x509findtype. findbysubjectdistinguishedname, " CN = ejiyuan " );
VaR Q = Client. Add ( 1 , 2 );
Console. writeline (client. Add ( 1 , 2 ));
Console. Read ();
}
}

 

7. Client configuration information (automatically generated)

< System. servicemodel >
< Bindings >
< Nettcpbinding >
< Binding Name = "Nettcpbinding_icalculator"   >
< Security Mode = "Message" >
< Transport Clientcredentialtype = "Windows" Protectionlevel = "Encryptandsign"   />
< Message Clientcredentialtype = "Certificate"   />
</ Security >
</ Binding >
</ Nettcpbinding >
</ Bindings >
< Client >
< Endpoint Address = "Net. TCP: // 192.168.101.13: 8000/calculatorservice"
Binding = "Nettcpbinding" Bindingconfiguration = "Nettcpbinding_icalculator"
Contract = "Servicereference1.icalculator" Name = "Nettcpbinding_icalculator" >
< Identity >
< Certificate Encodedvalue = "Expires + expires/expires + 4dl1hfipqupdextikwwy2v2/T/pwhrrvpe/expires + expires/hhwvyu + expires + igx8/w8q ="   />
</ Identity >
</ Endpoint >
</ Client >
</ System. servicemodel >

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.