X509 Certificate for WCF Authentication

Last Update:2018-12-07 Source: Internet

Author: User

Tags pfx file

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

X.509 digital certificate is the most convenient authentication method in the Internet environment.

1. Create a digital certificate

X509 certificates can be used by the Certificate Authority (such as Verisign inc.exe to buy or use the makecert.exe tool to create temporary certificates used during development)
. Create a certificate. Make a certificate: makecert-Sr localmachine-SS my-N Cn = ejiyuan-sky exchange-pe-R.
Reference: http://msdn.microsoft.com/zh-cn/library/aa702761.aspx
. Export the Certificate file, pfx file with the key. Use MMC
. Import the certificate to the trusted person.
. Import the certificate to a trusted organization, and the certificate will be trusted.

2. Create a serviceCode

[Servicecontract]
Public Interface Icalculator
{
[Operationcontract]
Double Add ( Double X, Double Y );
}

Public ClassCalculatorservice: icalculator
{

Public Double Add ( Double X, Double Y)
{
Return X + Y;
}
}
Class Program
{
Static Void Main ( String [] ARGs)
{
Servicehost _ servicehost = New Servicehost ( Typeof (Calculatorservice ));
_ Servicehost. Opened + = (S, q) =>
{
Console. writeline ( " Service started " );
Console. Read ();
};
_ Servicehost. open ();
}
}

3. Set Security Authentication Mode

< Bindings >
< Nettcpbinding >
< Binding Name = "Nonsessionbinding" >
<! -- Currently bound Security Authentication Mode -->
< Security Mode = "Message" >
<! -- Defines the type of message-level security requirements, which is a certificate -->
< Message Clientcredentialtype = "Certificate" />
</ Security >
</ Binding >
</ Nettcpbinding >
</ Bindings >

4. Set service creden

< Behaviors >
< Servicebehaviors >
< Behavior Name = "Calculatorservicebehavior" >
< Servicecredentials >
<! -- Specifies an X.509 Certificate for the service to prove its identity to clients using message security mode. -->
< Servicecertificate Findvalue = "Cn = ejiyuan" X509findtype = "Findbysubjectdistinguishedname" Storelocation = "Localmachine" Storename = "My" />
< Clientcertificate >
<! -- Customize the authentication method for the client -->
< Authentication Certificatevalidationmode = "Custom" Customcertificatevalidatortype = "WCF. Extensions. Security. myx509validator, WCF. Extensions. Security" />
</ Clientcertificate >
</ Servicecredentials >
</ Behavior >
</ Servicebehaviors >
</ Behaviors >

5. Custom certificate verification
The fingerprint code of the certificate is used for authentication. The combination of the Digital Certificate Name and serial number of each client is a unique fingerprint code. You must inherit from 'System. identitymodel. selectors. x509certificatevalidator ', and then rewrite the 'validate' method to implement your X509 authentication logic.
The following fingerprint code can be obtained through the certificate trust information:

Public Class Myx509validator: system. identitymodel. selectors. x509certificatevalidator
{

Public Override Void Validate (system. Security. cryptography. x509certificates. x509certificate2 Certificate)
{
If (Certificate = Null )
{
Throw New Argumentnullexception ( " The X509 Certificate is empty! " );
}
If (Certificate. thumbprint ! = " 82fb736f2464c481859f852ecb10f6f9425c265f " . Toupper ())
{
Throw New System. identitymodel. tokens. securitytokenexception ( " Certificate Validation Error! " );
}
}
}

6. client code

Class Program
{
Static Void Main ( String [] ARGs)
{
Calculatorclient Client = New Calculatorclient ();
// Query the certificates installed on the client
Client. clientcredentials. clientcertificate. setcertificate (storelocation. currentuser, storename. My, x509findtype. findbysubjectdistinguishedname, " CN = ejiyuan " );
VaR Q = Client. Add ( 1 , 2 );
Console. writeline (client. Add ( 1 , 2 ));
Console. Read ();
}
}

7. Client configuration information (automatically generated)

< System. servicemodel >
< Bindings >
< Nettcpbinding >
< Binding Name = "Nettcpbinding_icalculator" >
< Security Mode = "Message" >
< Transport Clientcredentialtype = "Windows" Protectionlevel = "Encryptandsign" />
< Message Clientcredentialtype = "Certificate" />
</ Security >
</ Binding >
</ Nettcpbinding >
</ Bindings >
< Client >
< Endpoint Address = "Net. TCP: // 192.168.101.13: 8000/calculatorservice"
Binding = "Nettcpbinding" Bindingconfiguration = "Nettcpbinding_icalculator"
Contract = "Servicereference1.icalculator" Name = "Nettcpbinding_icalculator" >
< Identity >
< Certificate Encodedvalue = "Expires + expires/expires + 4dl1hfipqupdextikwwy2v2/T/pwhrrvpe/expires + expires/hhwvyu + expires + igx8/w8q =" />
</ Identity >
</ Endpoint >
</ Client >
</ System. servicemodel >

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More