WCF nettcpbinding Transport Security Mode (7)

clientCredentialType certificate Validation mode----chaintrust Authentication mode

The Chaintrust authentication mode uses a certificate chain to verify that the X.509 certificate is valid and is issued by a trusted issuer. It specifies that each certificate must exist in a certificate hierarchy that ends with the root certification authority at the top of the certificate chain. It verifies that the X.509 certificate is issued by a trusted certification authority. You can do this by searching the certificate store and determining whether the certification authority's certificate has been designated as a trusted certificate. In order for WCF to make this decision, you must install the certification Authority certificate chain in the correct certificate store.

Because Windows comes with a set of default certificate chains for trusted certification authorities, you may not have to install a certificate chain for all certification authorities.

Extended read X.509 certificate chain description

The CRT has information about the holder of the certificate, the public key of the holder, and the signature of the signer. When a certificate is installed, the certificate is trusted. The certificate will describe the purpose, such as server authentication, client authentication, or other certificate signing. When a new certificate is received by the system, the certificate will indicate who signed it. The system automatically trusts the new certificate if it is true that the signer can sign another certificate and that the signature on the certificate and the signer's public key can be aligned.
At the beginning of the system, a trust Certificate authority is installed automatically, which is called the root Certificate Authority (CA). The root certification authority will issue certificates to other companies for a variety of purposes. Of course, the signed certificate may also be a "signed certificate", so you need to check each other's qualifications. This way, a "certificate Chain" is formed by signing the layers.

Set the configuration of authentication mode to "Chaintrust" as shown in the following code.

To set the authentication Client credential mode to "Chaintrust" on the server side:

      <clientcertificate >
    
         <certificate findvalue= "xuanhunclient"
    
                       storelocation= "CurrentUser"
    
                       Storename= "My"
    
                       x509findtype= "Findbysubjectname"/>
    
<authentication certificatevalidationmode= " Chaintrust "trustedstorelocation=" CurrentUser "  />
    
       </clientCertificate>

In the Client Setting authentication authentication Service-side credential mode is "Chaintrust":

  <servicecertificate >
    
     <defaultcertificate 
    
                 x509findtype= "Findbysubjectname"
    
                storelocation = "CurrentUser"
    
              storename= "trustedpeople"
    
                findvalue= "Xuanhunserver"
    
                />
    
< Authentication certificatevalidationmode= "Chaintrust"  />
    
            </serviceCertificate>

Author: Hyun-Soul

Source: http://www.cnblogs.com/xuanhun/

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Programming/net/