我一直在处理以下URL,试图在我的开发机器上使用客户端证书来实现WCF传输安全性(因此我的盒子充当客户端和服务器)。
http://msdn.microsoft.com/en-us/library/ff648498.aspx
http://msdn.microsoft.com/en-us/library/ff650751.aspx
我的环境是使用IIS 7.5的Windows 7上的Visual Studio 2008。在我向服务器发出请求之前,一切似乎都很好,无论是打开IE并浏览到我的.svc文件,还是运行我的Windows Form.NET客户端应用程序并调用该服务,此时我都会收到以下错误:
HTTP错误403.7-禁止
您试图访问的页面要求浏览器具有Web服务器可识别的安全套接字层(SSL)客户端证书。
服务器配置文件:
<bindings>
<wsHttpBinding>
<binding name="CertificateWithTransport" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647">
<security mode="Transport">
<transport clientCredentialType="Certificate"></transport>
</security>
</binding>
</wsHttpBinding>
</bindings>
客户端配置文件:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="CertificateWithTransport" closeTimeout="00:10:00"
openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="655360" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Certificate" realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="clientCertificateConf">
<clientCredentials>
<clientCertificate
findValue="32 52 dc 36 e1 95 fb be 4e 3c f6 a6 92 13 53 f4 b5 32 47 45"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindByThumbprint" />
</clientCredentials>
<!--<clientCredentials>
<clientCertificate findValue="CN=localhostclient"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectDistinguishedName" />
</clientCredentials>-->
<dataContractSerializer maxItemsInObjectGraph="2147483647"/>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="https://localhost/Source.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
contract="SourceServerReference.ISourceService" name="SourceService.wsHttp" />
<endpoint address="https://localhost/Community.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
contract="CommunityServerReference.ICommunityService" name="CommunityService.wsHttp" />
<endpoint address="https://localhost/ActivityLeadContact.svc"
behaviorConfiguration="clientCertificateConf" binding="wsHttpBinding"
bindingConfiguration="CertificateWithTransport" contract="ActivityLeadContactServerReference.IActivityLeadContactService"
name="ActivityLeadContactService.wsHttp" />
<endpoint address="https://localhost/User.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
contract="UserServerReference.IUserService" name="UserService.wsHttp" />
<endpoint address="https://localhost/PickListItem.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
contract="PickListItemServerReference.IPickListItemService"
name="PickListItemService.wsHttp" />
<endpoint address="https://localhost/Prospect.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
contract="ProspectServiceReference.IProspectService" name="ProspectService.wsHttp" />
<endpoint address="https://localhost/ActivityLead.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
contract="ActivityLeadServiceReference.IActivityLeadService"
name="ActivityLeadService.wsHttp" />
<endpoint address="https://localhost/ActivityReferral.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
contract="ActivityReferralServiceReference.IActivityReferralService"
name="ActivityReferralService.wsHttp" />
<endpoint address="https://localhost/Referral.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="CertificateWithTransport"
contract="ReferralServiceReference.IReferralService" name="ReferralService.wsHttp" />
<endpoint address="https://localhost/LeadService.svc" behaviorConfiguration="clientCertificateConf"
binding="wsHttpBinding" bindingConfiguration="LeadService.wsHttp"
contract="LeadServerReference.ILeadService" name="LeadService.wsHttp" />
</client>
</system.serviceModel>
</configuration>
如有任何帮助,我们将不胜感激!
客户端证书可能不受信任。根据您提到的链接,客户端证书和服务器证书不是自签名的。
您应该检查颁发证书的CA(客户端和服务器)是否在本地计算机存储中。还要检查CA颁发的CRL(颁发客户端和颁发服务器证书的CA)是否也放在本地计算机存储中,并且它是否有效(它有一个验证期,之后您需要颁发另一个CRL并将其放在存储中)。
您可以使用mmc工具进行检查。
p.s.:我建议您使用xca来颁发证书和CRL。它有一个GUI,您可以设置证书和CRL的验证期,这样就可以轻松地发布100年的CRL。默认情况下,它还具有CA、客户端和服务器证书的模板。