[Practice] Prepare a certificate for the preparation of WCF Transmission Security 1

I have been learning about WCF Transmission Security in recent days. I have been exploring it in the garden for a long time, and I have also checked a lot of information to learn about it. I will share this article with you!

I. Security Methods in WCF

When it comes to security, authentication, message consistency, and confidentiality are involved. There are two security methods for WCF: Transmission Security and message security.

Differences Between Transmission Security and message security:
Transmission Security provides point-to-point security: for example, if a provides services and B and C are directly connected to a, direct transmission between A and B and A and C is secure, if B connects to A through C, A and B are directly safe,B and C are insecure.
Message security: security mechanisms are applied at the message level to provide end-to-end security. No matter how complicated the message routing path is, messages can be securely transmitted.
Transmission security is generally used in the LAN. Message security is mainly used in complex Internet environments. Transmission Security has an incomparable advantage in message security, that is, high performance.

Ii. How to Create a certificate

Since it is transmission security, SSL and HTTPS will inevitably be used, and digital certificates will be involved,Digital CertificateWe will not describe the concept and principle. Baidu will be OK at a moment, we only need to know that it provides identity authentication for our servers and clients and can provide encryption for our messages. First, let's demonstrate the certificate creation process:

The Windows server system has a certificate service. You can add a Certificate Service to create a certificate. For more information, seeThis articleArticle.

The demo environment behind us is carried out in the Windows 7 + vs2010 environment. Therefore, we can only create certificates using the makecert command and use netshProgramRegister a certificate for the port.

1. The makecert command prompts "makecert" to run with the Visual Studio command. The main parameters of the command are described as follows: (there are many parameters, which are not listed one by one. Only the parameters we use are listed)

-N: Certificate topic name. For example,-n "cn = computer name"
-PE: The generated private key can be exported;
-SR: the location of the digital certificate (currentuser represents the current account; localmachine represents the local machine)
-SS: Certificate storage area;-sky: specifies the type of the key (Signature: signature key; Exchange: exchange key)
-R: Create a self-signed certificate

Note:-n "cn = computer name" is the computer name by default. The actual project may be the website name, for example, wwww.xxx.com. You can also use another name, however, there will be an error message about the trust relationship during the WCF call. We will introduce it in the demo.

22.16netsh.exe is located in the c: \ windows \ system32 directory:

View the SSL Certificate binding:Netsh> HTTP show sslcert
Bind the certificate to the Port:Netsh> HTTP add sslcert ipport = 0.0.0.0: Port Number certhash = certificate fingerprint appid = {a valid guid}
Delete the certificate bound to the Port:Netsh> HTTP Delete sslcert ipport = 0.0.0.0: Port

3. Create a certificate and bind it to the IP address Port:

1. Create a certificate:

Start the Visual Studio command prompt tool, and enter: makecert-Sr localmachine-SS my-n "cn = Lx-PC"-sky exchange-pe-R, press enter, and the prompt is successful!

How can I view this certificate? Where has this certificate been stored?

You can run the MMC command to open the console and select "add or delete Management Unit" in the "file" menu to open this dialog box. In the displayed dialog box, select "certificate" on the left ":

Click "add" to bring up the "Certificate Management" dialog box. Select "Computer Account", click "Next", select "Local Computer", and click "finish. You can add another "My User Account", for example:

Click "OK". On the "Certificate (Local Computer)"> "personal"> "certificate" node, you can see the created "lx-PC" certificate;

The next step is to add the certificate to the "Trusted Root Certificate Authority" and "trusted person" nodes. Why. For example, the ID card is our certificate. Who is a trusted authority? Of course, it is a local XXX Public Security organization. If it is not a certificate issued by an authority, the certificate must be faulty.

Right-click the certificate we created, select "all tasks"> "Export", open the "Export Certificate" dialog box, select "Next", and select "Yes, export key"

Click "Next" and select "Personal Information Exchange" by default ",

Click "Next" and enter the password "123456 ",

Click "Next", select "Browse", name the file "lxpc. pfx", and save it to the desktop.

Then, right-click the "Trusted Root Certificate Authority" node and "trusted person" node, and select "all tasks" -- "import ". Select the lxpc. pfx file that we just exported to the desktop and enter the password 123456. Then, import the file to the two nodes respectively.

2. Use the netsh command to bind the certificate to the Port:

At this time, we need to view the certificate fingerprint: Double-click our certificate, select the Details tab

The fingerprint of the certificate is 63c06b2292c76391fe075becb01e4a1f350a5a87.

Then, run the netsh command on the Windows console CMD and enter:

HTTP add sslcert ipport = 0.0.0.0: 9000 certhash = 63c06b2292c76391fe075becb01e4a1f350a5a87 appid = {BFC5621F-EF33-1234-AD7E-51EDDAEC5234}

Result:

We can use netsh> HTTP show sslcert to check whether our certificate is bound to port 9000:

As shown in the figure, we have bound the certificate we just created to port 9000.

Now, the preliminary certificate preparation is complete. In the next article, we will use the certificate to implement a server-side Authentication through SSL, but the client uses an anonymous WCF example.