WCF安全操练（1）--X509证书

      使用.NET自带的makecert命令生成证书，命令如下： 

makecert -sr localmachine -ss My -n CN=127.0.0.1 -sky exchange -pe -r

      此处注意，CN后跟的证书名称最好为服务器IP地址，或是服务器机器名称，可以避免在调用安全的WCF服务时写强制认证的逻辑代码。

      makecert命令帮助如下：

 Basic Options
 -sk  <keyName>      Subject's key container name; To be created if not present
 -pe                 Mark generated private key as exportable
 -ss  <store>        Subject's certificate store name that stores the output
                     certificate
 -sr  <location>     Subject's certificate store location.
                        <CurrentUser|LocalMachine>.  Default to 'CurrentUser'
 -#   <number>       Serial Number from 1 to 2^31-1.  Default to be unique
 -$   <authority>    The signing authority of the certificate
                        <individual|commercial>
 -n   <X509name>     Certificate subject X500 name (eg: CN=Fred Dews)

 

Extended Options
 -tbs <file>         Certificate or CRL file to be signed
 -sc  <file>         Subject's certificate file
 -sv  <pvkFile>      Subject's PVK file; To be created if not present
 -ic  <file>         Issuer's certificate file
 -ik  <keyName>      Issuer's key container name
 -iv  <pvkFile>      Issuer's PVK file
 -is  <store>        Issuer's certificate store name.
 -ir  <location>     Issuer's certificate store location
                        <CurrentUser|LocalMachine>.  Default to 'CurrentUser'
 -in  <name>         Issuer's certificate common name.(eg: Fred Dews)
 -a   <algorithm>    The signature algorithm
                        <md5|sha1>.  Default to 'md5'
 -ip  <provider>     Issuer's CryptoAPI provider's name
 -iy  <type>         Issuer's CryptoAPI provider's type
 -sp  <provider>     Subject's CryptoAPI provider's name
 -sy  <type>         Subject's CryptoAPI provider's type
 -iky <keytype>      Issuer key type
                        <signature|exchange|<integer>>.
 -sky <keytype>      Subject key type
                        <signature|exchange|<integer>>.
 -l   <link>         Link to the policy information (such as a URL)
 -cy  <certType>     Certificate types
                        <end|authority>
 -b   <mm/dd/yyyy>   Start of the validity period; default to now.
 -m   <number>       The number of months for the cert validity period
 -e   <mm/dd/yyyy>   End of validity period; defaults to 2039
 -h   <number>       Max height of the tree below this cert
 -len <number>       Generated Key Length (Bits)
 -r                  Create a self signed certificate
 -nscp               Include netscape client auth extension
 -crl                Generate a CRL instead of a certificate
 -eku <oid[<,oid>]>  Comma separated enhanced key usage OIDs
 -?                  Return a list of basic options
 -!                  Return a list of extended options

 

 

      命令完成后，在运行中打开控制台（命令：mmc）

为控制台中添加管理单元--证书，添加当前用户和本地计算机，用上面命令生成的证书在本地计算机的个人储存区可以看到。

将刚刚生成好的证书导出到硬盘上，导出时选择“是，导出私钥”。

      再将刚刚导出的证书导入到本地计算机的“受信任的根证书颁发机构”和“受信任人”存储区，其中“受信任的根证书颁发机构”是必要的，我们自己为服务器颁发的证书放到这里边后，如果你是在这台服务器上写个客户端去调用WCF服务的话，你会发现省去了强制信任证书的逻辑代码。同理，如果在别的机器上写个客户端调用服务器上的WCF服务，当把证书装到相应机器上的“受信任的根证书颁发机构”中时，也是不用写强制信任证书逻辑的。

      用httpcfg命令配置证书（XP或2003系统），命令如下：

httpcfg set ssl -i 0.0.0.0 -h c5bd2fb29cddae6229826a6d53bf08f1c89f525a

      其中-h后跟的参数为证书指纹，也就是证书详细信息中的“微缩图”的值。

      httpcfg命令工具如果没有的话，可以在网上下载到，httpcfg命令帮助如下：

Usage: httpcfg ACTION STORENAME [OPTIONS]

    ACTION                     - set | query  | delete

    STORENAME                  - ssl | urlacl | iplisten

    [OPTIONS]                  - See Below

Options for ssl:
    -i IP-Address              - IP:port for the SSL certificate (record key)

    -h SslHash                 - Hash of the Certificate.

    -g GUID                    - GUID to identify the owning application.

    -c CertStoreName           - Store name for the certificate. Defaults to
                                 "MY". Certificate must be stored in the
                                 LOCAL_MACHINE context.

    -m CertCheckMode           - Bit Flag
                                    0x00000001 - Client certificate will not b

                                                 verified for revocation.
                                    0x00000002 - Only cached client certificat
                                                 revocation will be used.
                                    0x00000004 - Enable use of the Revocation
                                                 freshness time setting.
                                    0x00010000 - No usage check.

    -r RevocationFreshnessTime - How often to check for an updated certificate
                                 revocation list (CRL). If this value is 0,
                                 then the new CRL is updated only if the
                                 previous one expires. Time is specified in
                                 seconds.

    -x UrlRetrievalTimeout     - Timeout on attempt to retrieve certificate
                                 revocation list from the remote URL.
                                 Timeout is specified in Milliseconds.

    -t SslCtlIdentifier        - Restrict the certificate issuers that can be
                                 trusted. Can be a subset of the certificate
                                 issuers that are trusted by the machine.

    -n SslCtlStoreName         - Store name under LOCAL_MACHINE where
                                 SslCtlIdentifier is stored.

    -f Flags                   - Bit Field
                                    0x00000001 - Use DS Mapper.
                                    0x00000002 - Negotiate Client certificate.
                                    0x00000004 - Do not route to Raw ISAPI
                                                 filters.

Options for urlacl:
    -u Url                     - Fully Qualified URL. (record key)
    -a ACL                     - ACL specified as a SDDL string.

Options for iplisten:
    -i IPAddress               - IPv4 or IPv6 address. (for set/delete only) 

 

      打开IIS，为默认网站添加证书，过程见下图：

      下一步后选则你生成的证书，一直下一步就行了。

      OK，到这里，有关证书在服务器上的配置情况就完成了。