我有一个部署到IIS的应用程序,需要调用SOAP服务。它使用.NET Framework中的WCF。该SOAP服务要求使用在运行时提供的客户端证书对请求进行身份验证。应用程序的管理员用户可以在后台更新使用的证书。目的是实现自治,并且证书生命周期管理独立于IIS或基础系统,因此不能选择使用计算机证书存储。这是初始代码:
var binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
var client = new ServiceReference1.myClient(binding, new EndpointAddress(serviceUrl));
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var certificate = new X509Certificate2(certificateBinary, certificatePassword);
client.ClientCredentials.ClientCertificate.Certificate = certificate;
//use the client
var result = client.myMethod(new ServiceReference1.MethodRequest());
certificateBinary是加载包含完整证书链(客户端证书,中间CA和根CA)以及certificatePassword用于创建该文件的密码的PFX文件的结果。但是该请求被服务器拒绝。通过查看Wireshark,似乎只发送了客户端证书。这与我们将PFX安装在可以正常工作的机器存储上时的情况不同。
因此,我尝试的下一步是在运行时安装证书。首先加载它们:
X509Certificate2Collection collection = new X509Certificate2Collection();
try {
collection.Import(ssCertificateFile, ssPassword, X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet);
}
然后确定它们是哪种证书,最后将它们安装在当前用户存储中:
private static void InstallCertificates(X509Certificate2Collection clientCerts, X509Certificate2Collection intermediateCAs, X509Certificate2Collection RootCAs) {
using (X509Store personalStore = new X509Store(StoreName.My, StoreLocation.CurrentUser)) {
personalStore.Open(OpenFlags.ReadWrite);
personalStore.AddRange(clientCerts);
}
using (X509Store intermediateStore = new X509Store(StoreName.CertificateAuthority, …