How WCF uses X509 certificate Z

How WCF uses X509 certificates

How to create a certificate:

MAKECERT.EXE-SR localmachine-ss my-a sha1-n Cn=jiangserver-sky exchange-pe (service-side certificate)

MAKECERT.EXE-SR localmachine-ss my-a sha1-n Cn=jiangclient-sky exchange-pe (client certificate)

MAKECERT-SR localmachine-ss my-n cn=WCF server machine name -sky exchange-pe–r

Introduction to various parameters

Properties parsing

-sr

Specifies the registry location in the certificate store.  CURRENTUSER specifies that the registry storage location is HKEY_CURRENT_USER. LocalMachine specifies that the registry storage location is HKEY_LOCAL_MACHINE.

-ss

Specifies the location of the certificate store.

-A

Specify the relevant algorithm, you can choose the MD5 algorithm or the SHA1 algorithm

-N

Specifies the name of the certificate. The name follows the X.500 naming standard. For simple examples such as "cn=myname" format, if the/n switch is not specified, the certificate default name is "Joe's software Emporium".

-sky

The certificate key type. Can be set to Exchange or signature.

-pe

Certificates can be exported

Detailed description: See MSDN.

After the certificate is created successfully! —

<?xml version="1.0"Encoding="Utf-8"?><configuration> <system.web> <compilation debug="True"Targetframework="4.0"/> </system.web> <system.serviceModel> <services> <service name="Wcfservice.service1"Behaviorconfiguration="Custombehavior"> <Endpoint binding="mexHttpBinding"contract="IMetadataExchange"address="Mex"/> <endpoint address="" Binding="Wshttpbinding"Contract="Wcfservice.iservice1"Bindingconfiguration="CustomBinding"/> </service> </services> <behaviors> <serviceBehaviors> <behavior name="Custombehavior> <!--to avoid leaking metadata information, set the following values before deployment toFalse and delete the above metadata endpoint--<servicemetadata httpgetenabled="True"/> <!--to receive fault exception details for debugging, set the following values toTrue Before deployment, set toFalse to avoid leaking exception information--<servicedebug includeexceptiondetailinfaults="False"/> <serviceCredentials> <!--server with certificate detailed configuration findvalue: Create certificate name StoreName: Where is the certificate store detailed storelocation: Certificate store is located at the current native user x509findtype:x509 find certificate subject name---<servicecertificate findvalue="Jiangserver"Storename="My"Storelocation="LocalMachine"X509findtype="Findbysubjectname"/> <!--Client Authentication Method-<clientCertificate> <authentication certificatevalidationmode="None"/> </clientCertificate> </serviceCredentials> </behavior> </serviceBehaviors> </ Behaviors> <servicehostingenvironment multiplesitebindingsenabled= " " "message" > < Message Clientcredentialtype= "certificate "/> </security> </binding> </wsHttpBinding> </bindings> </system.serviceModel> <system.webServer> <modules runallmanagedmodulesforallrequests= "true   

In this way, the basic simple X509 authentication method is configured and published to IIS. Run as follows:

Error after-----------------------------------------------------------------------------------------------------------operation-------- -------------------

Server error in "/" application. --------------------------------------------------------------------------------key set does not exist. Description: An unhandled exception occurred during the execution of the current WEB request. Check the stack trace information For more information about the error and the source of the error in your code. Exception Details: System.Security.Cryptography.CryptographicException: Key set does not exist. SOURCE Error: An unhandled exception was generated during the execution of the current WEB request.  You can use the following exception stack trace information to determine information about the cause of the exception and where it occurred. Stack trace: [cryptographicexception: Key set does not exist.   ] System.Security.Cryptography.Utils.CreateProvHandle (CspParameters parameters, Boolean randomkeycontainer) +450 System.Security.Cryptography.Utils.GetKeyPairHelper (Cspalgorithmtype keyType, CspParameters parameters, Boolean Randomkeycontainer, Int32 dwkeysize, safeprovhandle& safeprovhandle, safekeyhandle& SafeKeyHandle) +158 System .   Security.Cryptography.RSACryptoServiceProvider.GetKeyPair (+231)   System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey (+537) System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange (X509Certificate2 certificate) +78[ ArgumentException: Possible certificate "Cn=gaserver1" does not have the ability to perform key exchange of privateThe key, or the process may not have permission to access the private key. For more information, see inner exception. ]

Parse error prompt, should be no permission ah, we open "MMC" hit My My--Certificate of Jiangserver set permissions.

Add Everyone-read

Run WCF again, success!

Now the service side has deployment! Create the client again, referencing the WCF service. Once the WCF service is referenced successfully, I want to deployment the "app. Config" file again to add the validation information.

<?xml version="1.0"Encoding="Utf-8"?><configuration> <system.serviceModel> <bindings> <wsHttpBinding> <binding name="Abc"Closetimeout="00:01:00"opentimeout="00:01:00"Receivetimeout="00:10:00"Sendtimeout="00:01:00"Bypassproxyonlocal="False"Transactionflow="False"Hostnamecomparisonmode="StrongWildcard"Maxbufferpoolsize="524288"Maxreceivedmessagesize="65536"messageencoding="Text"Textencoding="Utf-8"Usedefaultwebproxy="True"allowcookies="False"> <readerquotas maxdepth="32"Maxstringcontentlength="8192"Maxarraylength="16384"Maxbytesperread="4096"Maxnametablecharcount="16384"/> <reliablesession ordered="True"Inactivitytimeout="00:10:00"Enabled="False"/> <security mode="Message"> <message clientcredentialtype="Certificate"/> </security> </binding> </wsHttpBinding> </bindings> <client> <endpoint address="Http://192.168.1.3/Service1.svc"Binding="Wshttpbinding"bindingconfiguration="Abc"Contract="Servicereference1.iservice1"Name="Wshttpbinding_iservice1"Behaviorconfiguration="Custombehavior"> <identity> <!--After a successful reference, the automatically generated code--<certificate encodedvalue="awaaaaeaaaauaaaaiaun/+3yklx/nz/t50halxjci4igaaaaaqaaalcbaaawgggzmiibyaadagecahbesg++ Zoulskowscx8gti4makgbssoawidbqawfjeumbiga1ueaxmlum9vdcbbz2vuy3kwhhcnmtexmjmwmdi1mje1whcnmzkxmjmxmjm1otu5wjawmrqwegydvqqde wtkawfuz1nlcnzlcjcbnzanbgkqhkig9w0baqefaaobjqawgykcgyea8hgfoesdaja6cfuckxsjvx+g50jzbcykcqt2uzylhmtzn0/ jrt3ahwcjn4wo7tu5xnhzuxhlc/vxk8apjt6y7fsv9a02mbx5gshvturcpjjzn89vmekaowfv1n7imsbufbzaqm71+ 9k3kmaws77ymybbb6avxyxfyyfuprc/ 3xscaweaaanlmekwrwydvr0bbeawpoaqeuqjlqydhu8ajweh3bzky6eymbyxfdasbgnvbamtc1jvb3qgqwdlbmn5ghagn2waqgbkihhpunsqxdx0makgbssoa Widbqadqqbvvrkt8schxe3kaxwmx8x5pplyazhf+ibhjkg8p3cjldb9h12bmnktbo1on7gxrnjb0droxyb2vqjbolq82nzt"/> </identity> </endpoint> </client><!--Add the following configuration--<behaviors> < Endpointbehaviors> <behavior name="Custombehavior"> <clientCredentials> <!--client certificate--<clientcertificate findvalue="jiangclient" storename="My" storelocation="LocalMachine" X509findtype=" findbysubjectname"/> <serviceCertificate> <authentication certificatevalidationmode=" none"/> </serviceCertificate> </clientCredentials> </behavior> </ endpointbehaviors> </behaviors> </system.serviceModel></configuration>   

Start the client, the call succeeds!

Note: If you call WCF fails, several error messages

1>: The following search criteria could not be used to find the certificate: StoreName "My", Storelocation "LocalMachine", Findtype "Findbysubjectname", Findvalue " JiangClient1 ".

workaround : Import the certificate (JIANGCLIENT1) or create this certificate, note the reported error message where the certificate is stored

2 >: Client certificate not provided. Please specify a client certificate in the Clientcredential.

Workaround: Configure the certificate on the client side because the server uses certificate authentication.

Call Success again! The above is the problem I was having when setting up the X509 certificate.

Use HttpAnalyzerStdV5 again to see if it's encrypted. As below, it's encrypted.

How WCF uses X509 certificate Z