WCF X509Certificates證書認證

1 證書有兩種做用，一種是SSL傳輸用，一種做爲公鑰私鑰容器（非對稱加密用）。

2，WCF安全分傳輸安全和消息安全。消息安全一種模式爲Certificate。 

<system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpBinding">
          <security mode="Message">
            <message clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>      
    </bindings>
    <services>
      <service name="Test.Contract">
          <endpoint  address="Wshttp" binding="wsHttpBinding"
                   bindingConfiguration="wSHttpBinding"  name="wsHttpEndpoint" contract="Test.IContract">          
          <identity>
        <!--<dns value="localhost.com" />-->
      </identity>            
      </endpoint>                
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials>
            <serviceCertificate storeLocation="CurrentUser" findValue="CN=TesteCert" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>

　客戶端 配置  

<system.serviceModel>
      <behaviors>
        <endpointBehaviors>
          <behavior>
            <clientCredentials>
              <serviceCertificate>
                <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="CurrentUser" revocationMode="NoCheck"/>
              </serviceCertificate>
              <clientCertificate  storeLocation="CurrentUser" findValue="CN=TesTCert"/>
            </clientCredentials>
            
          </behavior>
        </endpointBehaviors>
      </behaviors>
      
        <bindings>
            <wsHttpBinding>
                <binding name="wsHttpEndpoint">
                    <security>
                        <message clientCredentialType="Certificate" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://localhost/test.svc"
                binding="wsHttpBinding" bindingConfiguration="sHttpEndpoint"
                contract="Test.IContract" name=「wsHttpEndpoint">
                <identity>
                    <certificate encodedValue="AwnvvqieXuGbI1rIMwGXUhxNdtUJlyKIgJdRI4xWlYEUU5vTXso/Xxpzu25EkVjslUj5bbY9VwhoFN5CCDINU7xukkxG0bErweXIJPW7Oo8LAQ3OduSD0r+2INkoziiLRxYoVcAgt8+9dLTfR+5QLrFrlxnp//eDiXY=" />
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>

　

注意，1 ：測試證書必定要是CA認證的，而能是self-sign的。 如何建立CA證書，能夠參見

http://msdn.microsoft.com/en-us/library/ff648360.aspx 

 (Steps 7,

makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr CurrentUser -ss my -sky signature -pe tempCert.cer
應該改成

makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer -sr CurrentUser -ss my -sky exchange -pe tempCert.cer

）

2：encodedValue能夠經過wsdl獲取，或者導出證書base604版本獲取。

3：證書要複製到證書管理mmc裏的」Trustd People「。