X.509 digital certificate is the most convenient authentication method in the Internet environment.
1. Create a digital certificate
X509 certificates can be used by the Certificate Authority (such as Verisign inc.exe to buy or use the makecert.exe tool to create temporary certificates used during development)
. Create a certificate. Make a certificate: makecert-Sr localmachine-SS my-N Cn = ejiyuan-sky exchange-pe-R.
Reference: http://msdn.microsoft.com/zh-cn/library/aa702761.aspx
. Export the Certificate file, pfx file with the key. Use MMC
. Import the certificate to the trusted person.
. Import the certificate to a trusted organization, and the certificate will be trusted.
2. Create a serviceCode
[Servicecontract]
Public Interface Icalculator
{
[Operationcontract]
Double Add ( Double X, Double Y );
}
Public ClassCalculatorservice: icalculator
{
Public Double Add ( Double X, Double Y)
{
Return X + Y;
}
}
Class Program
{
Static Void Main ( String [] ARGs)
{
Servicehost _ servicehost = New Servicehost ( Typeof (Calculatorservice ));
_ Servicehost. Opened + = (S, q) =>
{
Console. writeline ( " Service started " );
Console. Read ();
};
_ Servicehost. open ();
}
}
3. Set Security Authentication Mode
< Bindings >
< Nettcpbinding >
< Binding Name = "Nonsessionbinding" >
<! -- Currently bound Security Authentication Mode -->
< Security Mode = "Message" >
<! -- Defines the type of message-level security requirements, which is a certificate -->
< Message Clientcredentialtype = "Certificate" />
</ Security >
</ Binding >
</ Nettcpbinding >
</ Bindings >
4. Set service creden
< Behaviors >
< Servicebehaviors >
< Behavior Name = "Calculatorservicebehavior" >
< Servicecredentials >
<! -- Specifies an X.509 Certificate for the service to prove its identity to clients using message security mode. -->
< Servicecertificate Findvalue = "Cn = ejiyuan" X509findtype = "Findbysubjectdistinguishedname" Storelocation = "Localmachine" Storename = "My" />
< Clientcertificate >
<! -- Customize the authentication method for the client -->
< Authentication Certificatevalidationmode = "Custom" Customcertificatevalidatortype = "WCF. Extensions. Security. myx509validator, WCF. Extensions. Security" />
</ Clientcertificate >
</ Servicecredentials >
</ Behavior >
</ Servicebehaviors >
</ Behaviors >
5. Custom certificate verification
The fingerprint code of the certificate is used for authentication. The combination of the Digital Certificate Name and serial number of each client is a unique fingerprint code. You must inherit from 'System. identitymodel. selectors. x509certificatevalidator ', and then rewrite the 'validate' method to implement your X509 authentication logic.
The following fingerprint code can be obtained through the certificate trust information:
Public Class Myx509validator: system. identitymodel. selectors. x509certificatevalidator
{
Public Override Void Validate (system. Security. cryptography. x509certificates. x509certificate2 Certificate)
{
If (Certificate = Null )
{
Throw New Argumentnullexception ( " The X509 Certificate is empty! " );
}
If (Certificate. thumbprint ! = " 82fb736f2464c481859f852ecb10f6f9425c265f " . Toupper ())
{
Throw New System. identitymodel. tokens. securitytokenexception ( " Certificate Validation Error! " );
}
}
}
6. client code
Class Program
{
Static Void Main ( String [] ARGs)
{
Calculatorclient Client = New Calculatorclient ();
// Query the certificates installed on the client
Client. clientcredentials. clientcertificate. setcertificate (storelocation. currentuser, storename. My, x509findtype. findbysubjectdistinguishedname, " CN = ejiyuan " );
VaR Q = Client. Add ( 1 , 2 );
Console. writeline (client. Add ( 1 , 2 ));
Console. Read ();
}
}
7. Client configuration information (automatically generated)
< System. servicemodel >
< Bindings >
< Nettcpbinding >
< Binding Name = "Nettcpbinding_icalculator" >
< Security Mode = "Message" >
< Transport Clientcredentialtype = "Windows" Protectionlevel = "Encryptandsign" />
< Message Clientcredentialtype = "Certificate" />
</ Security >
</ Binding >
</ Nettcpbinding >
</ Bindings >
< Client >
< Endpoint Address = "Net. TCP: // 192.168.101.13: 8000/calculatorservice"
Binding = "Nettcpbinding" Bindingconfiguration = "Nettcpbinding_icalculator"
Contract = "Servicereference1.icalculator" Name = "Nettcpbinding_icalculator" >
< Identity >
< Certificate Encodedvalue = "Expires + expires/expires + 4dl1hfipqupdextikwwy2v2/T/pwhrrvpe/expires + expires/hhwvyu + expires + igx8/w8q =" />
</ Identity >
</ Endpoint >
</ Client >
</ System. servicemodel >