Vorgehensweise: Verwenden von separaten X.509-Zertifikaten für Signieren und VerschlüsselungHow to: Use Separate X.509 Certificates for Signing and Encryption

In diesem Thema wird gezeigt, wie zum Konfigurieren der Windows Communication Foundation (WCF), um verschiedene Zertifikate für die nachrichtensignierung und-Verschlüsselung auf dem Client und der Dienst verwendet wird.This topic shows how to configure Windows Communication Foundation (WCF) to use different certificates for message signing and encryption on both the client and service.

Damit können verschiedene Zertifikate für Signierung und Verschlüsselung verwendet werden, müssen eine benutzerdefinierte Client oder Dienst Anmeldeinformationen (oder beides) erstellt werden, da WCF keine API zum Festlegen mehrerer Client- oder Dienstzertifikate bietet.To enable separate certificates to be used for signing and encryption, a custom client or service credentials (or both) must be created because WCF does not provide an API to set multiple client or service certificates. Außerdem muss ein Sicherheitstokenmanager zur Verfügung gestellt werden, um die Informationen der Zertifikate zu nutzen und einen entsprechenden Sicherheitstokenanbieter für die angegebene Schlüsselverwendung und Nachrichtenrichtung zu erstellen.Additionally, a security token manager must be provided to leverage the multiple certificates' information and to create an appropriate security token provider for specified key usage and message direction.

Das folgende Diagramm enthält die wichtigsten verwendeten Klassen, die Klassen, von denen geerbt wird (gekennzeichnet durch einen Aufwärtspfeil), sowie die Rückgabetypen bestimmter Methoden und Eigenschaften.The following diagram shows the main classes used, the classes they inherit from (shown by an upward-pointing arrow), and the return types of certain methods and properties.

Das Diagramm zeigt, wie von ClientanmeldeinformationenChart showing how client credentials are used

Weitere Informationen zu benutzerdefinierten Anmeldeinformationen finden Sie unter Exemplarische Vorgehensweise: Erstellen von benutzerdefinierten Client- und Dienstanmeldeinformationen.For more information about custom credentials, see Walkthrough: Creating Custom Client and Service Credentials.

Darüber hinaus muss eine Prüfung für die benutzerdefinierte Identität erstellt werden, die dann in einer benutzerdefinierten Bindung mit einem benutzerdefinierten Sicherheitsbindungselement verknüpft werden muss.In addition, you must create a custom identity verifier, and link it to a security binding element in a custom binding. Des Weiteren müssen anstelle der Standardanmeldeinformationen die benutzerdefinierten Anmeldeinformationen verwendet werden.You must also use the custom credentials instead of the default credentials.

Das folgende Diagramm gibt Aufschluss über die Klassen für die benutzerdefinierte Bindung sowie über die Verknüpfung der Prüfung der benutzerdefinierten Identität.The following diagram shows the classes involved in the custom binding, and how the custom identity verifier is linked. An diesem Prozess sind mehrere Bindungselemente beteiligt, die alle von BindingElement erben.There are several binding elements involved, all of which inherit from BindingElement. Das AsymmetricSecurityBindingElement besitzt die LocalClientSecuritySettings-Eigenschaft, die eine Instanz von IdentityVerifier zurückgibt, von der aus MyIdentityVerifier angepasst wird.The AsymmetricSecurityBindingElement has the LocalClientSecuritySettings property, which returns an instance of IdentityVerifier, from which MyIdentityVerifier is customized.

Das Diagramm zeigt ein benutzerdefiniertes BindungselementChart showing a custom binding element

Weitere Informationen zum Erstellen einer benutzerdefinierten identitätsüberprüfung finden Sie unter Vorgehensweise: Vorgehensweise: Erstellen einer benutzerdefinierten Clientidentitätsüberprüfung.For more information about creating a custom identity verifier, see How to: How to: Create a Custom Client Identity Verifier.

So verwenden Sie separate Zertifikate für Signieren und VerschlüsselungTo use separate certificates for signing and encryption

  1. Definieren Sie eine neue Clientanmeldeinformationen-Klasse, die von der ClientCredentials-Klasse erbt.Define a new client credentials class that inherits from the ClientCredentials class. Implementieren Sie vier neue Eigenschaften, um die Angabe mehrerer Zertifikate zu ermöglichen: ClientSigningCertificate, ClientEncryptingCertificate, ServiceSigningCertificate und ServiceEncryptingCertificate.Implement four new properties to allow multiple certificates specification: ClientSigningCertificate, ClientEncryptingCertificate, ServiceSigningCertificate, and ServiceEncryptingCertificate. Überschreiben Sie auch die CreateSecurityTokenManager-Methode, damit eine Instanz der im nächsten Schritt eingerichteten benutzerdefinierten ClientCredentialsSecurityTokenManager-Klasse zurückgegeben wird.Also override the CreateSecurityTokenManager method to return an instance of the customized ClientCredentialsSecurityTokenManager class that is defined in the next step.

    public class MyClientCredentials : ClientCredentials
    {
        X509Certificate2 clientSigningCert;
        X509Certificate2 clientEncryptingCert;
        X509Certificate2 serviceSigningCert;
        X509Certificate2 serviceEncryptingCert;
    
        public MyClientCredentials()
        {
        }
    
        protected MyClientCredentials(MyClientCredentials other)
            : base(other)
        {
            this.clientEncryptingCert = other.clientEncryptingCert;
            this.clientSigningCert = other.clientSigningCert;
            this.serviceEncryptingCert = other.serviceEncryptingCert;
            this.serviceSigningCert = other.serviceSigningCert;
        }
    
        public X509Certificate2 ClientSigningCertificate
        {
            get
            {
                return this.clientSigningCert;
            }
            set
            {
                this.clientSigningCert = value;
            }
        }
    
        public X509Certificate2 ClientEncryptingCertificate
        {
            get
            {
                return this.clientEncryptingCert;
            }
            set
            {
                this.clientEncryptingCert = value;
            }
        }
    
        public X509Certificate2 ServiceSigningCertificate
        {
            get
            {
                return this.serviceSigningCert;
            }
            set
            {
                this.serviceSigningCert = value;
            }
        }
    
        public X509Certificate2 ServiceEncryptingCertificate
        {
            get
            {
                return this.serviceEncryptingCert;
            }
            set
            {
                this.serviceEncryptingCert = value;
            }
        }
    
        public override SecurityTokenManager CreateSecurityTokenManager()
        {
            return new MyClientCredentialsSecurityTokenManager(this);
        }
    
        protected override ClientCredentials CloneCore()
        {
            return new MyClientCredentials(this);
        }
    }
    
    Public Class MyClientCredentials
        Inherits ClientCredentials
    
        Private clientSigningCert As X509Certificate2
        Private clientEncryptingCert As X509Certificate2
        Private serviceSigningCert As X509Certificate2
        Private serviceEncryptingCert As X509Certificate2
    
        Public Sub New()
        End Sub
    
        Protected Sub New(ByVal other As MyClientCredentials)
            MyBase.New(other)
            Me.clientEncryptingCert = other.clientEncryptingCert
            Me.clientSigningCert = other.clientSigningCert
            Me.serviceEncryptingCert = other.serviceEncryptingCert
            Me.serviceSigningCert = other.serviceSigningCert
        End Sub
    
        Public Property ClientSigningCertificate() As X509Certificate2
            Get
                Return Me.clientSigningCert
            End Get
            Set(ByVal value As X509Certificate2)
                Me.clientSigningCert = value
            End Set
        End Property
    
        Public Property ClientEncryptingCertificate() As X509Certificate2
            Get
                Return Me.clientEncryptingCert
            End Get
            Set(ByVal value As X509Certificate2)
                Me.clientEncryptingCert = value
            End Set
        End Property
    
        Public Property ServiceSigningCertificate() As X509Certificate2
            Get
                Return Me.serviceSigningCert
            End Get
            Set(ByVal value As X509Certificate2)
                Me.serviceSigningCert = value
            End Set
        End Property
    
        Public Property ServiceEncryptingCertificate() As X509Certificate2
            Get
                Return Me.serviceEncryptingCert
            End Get
            Set(ByVal value As X509Certificate2)
                Me.serviceEncryptingCert = value
            End Set
        End Property
    
        Public Overrides Function CreateSecurityTokenManager() As SecurityTokenManager
            Return New MyClientCredentialsSecurityTokenManager(Me)
        End Function
    
        Protected Overrides Function CloneCore() As ClientCredentials
            Return New MyClientCredentials(Me)
        End Function
    
    End Class
    
  2. Definieren Sie einen neuen Clientsicherheitstoken-Manager, der von der ClientCredentialsSecurityTokenManager-Klasse erbt.Define a new client security token manager that inherits from the ClientCredentialsSecurityTokenManager class. Überschreiben Sie die CreateSecurityTokenProvider-Methode, um einen entsprechenden Sicherheitstokenanbieter zu erstellen.Override the CreateSecurityTokenProvider method to create an appropriate security token provider. Der requirement-Parameter SecurityTokenRequirement) stellt die Nachrichtenrichtung und die Schlüsselverwendung zur Verfügung.The requirement parameter (a SecurityTokenRequirement) provides the message direction and key usage.

    internal class MyClientCredentialsSecurityTokenManager : 
        ClientCredentialsSecurityTokenManager
    {
        MyClientCredentials credentials;
    
        public MyClientCredentialsSecurityTokenManager(
            MyClientCredentials credentials): base(credentials)
        {
            this.credentials = credentials;
        }
    
        public override SecurityTokenProvider CreateSecurityTokenProvider(
            SecurityTokenRequirement requirement)
        {
            SecurityTokenProvider result = null;
            if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
            {
                MessageDirection direction = requirement.GetProperty
                    <MessageDirection>(ServiceModelSecurityTokenRequirement.
                    MessageDirectionProperty);
                if (direction == MessageDirection.Output)
                {
                    if (requirement.KeyUsage == SecurityKeyUsage.Signature)
                    {
                        result = new X509SecurityTokenProvider(
                            this.credentials.ClientSigningCertificate);
                    }
                    else
                    {
                        result = new X509SecurityTokenProvider(this.credentials.
                            ServiceEncryptingCertificate);
                    }
                }
                else
                {
                    if (requirement.KeyUsage == SecurityKeyUsage.Signature)
                    {
                        result = new X509SecurityTokenProvider(this.
                            credentials.ServiceSigningCertificate);
                    }
                    else
                    {
                        result = new X509SecurityTokenProvider(credentials.
                            ClientEncryptingCertificate);
                    }
                }
            }
            else
            {
                result = base.CreateSecurityTokenProvider(requirement);
            }
    
            return result;
        }
    
        public override SecurityTokenAuthenticator 
            CreateSecurityTokenAuthenticator(SecurityTokenRequirement 
            tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver)
        {
            return base.CreateSecurityTokenAuthenticator(tokenRequirement, 
                out outOfBandTokenResolver);
        }
    }
    
    Friend Class MyClientCredentialsSecurityTokenManager
        Inherits ClientCredentialsSecurityTokenManager
    
        Private credentials As MyClientCredentials
    
        Public Sub New(ByVal credentials As MyClientCredentials)
            MyBase.New(credentials)
            Me.credentials = credentials
        End Sub
    
        Public Overrides Function CreateSecurityTokenProvider(ByVal requirement As SecurityTokenRequirement) As SecurityTokenProvider
            Dim result As SecurityTokenProvider = Nothing
            If requirement.TokenType = SecurityTokenTypes.X509Certificate Then
                Dim direction = requirement.GetProperty(Of MessageDirection)(ServiceModelSecurityTokenRequirement.MessageDirectionProperty)
                If direction = MessageDirection.Output Then
                    If requirement.KeyUsage = SecurityKeyUsage.Signature Then
                        result = New X509SecurityTokenProvider(Me.credentials.ClientSigningCertificate)
                    Else
                        result = New X509SecurityTokenProvider(Me.credentials.ServiceEncryptingCertificate)
                    End If
                Else
                    If requirement.KeyUsage = SecurityKeyUsage.Signature Then
                        result = New X509SecurityTokenProvider(Me.credentials.ServiceSigningCertificate)
                    Else
                        result = New X509SecurityTokenProvider(credentials.ClientEncryptingCertificate)
                    End If
                End If
            Else
                result = MyBase.CreateSecurityTokenProvider(requirement)
            End If
    
            Return result
        End Function
    
        Public Overrides Function CreateSecurityTokenAuthenticator(ByVal tokenRequirement As SecurityTokenRequirement, _
                                                                   <System.Runtime.InteropServices.Out()> ByRef outOfBandTokenResolver As SecurityTokenResolver) As SecurityTokenAuthenticator
            Return MyBase.CreateSecurityTokenAuthenticator(tokenRequirement, _
                                                           outOfBandTokenResolver)
        End Function
    
    End Class
    
  3. Definieren Sie eine neue Dienstanmeldeinformationen-Klasse, die von der ServiceCredentials-Klasse erbt.Define a new service credentials class that inherits from the ServiceCredentials class. Implementieren Sie vier neue Eigenschaften, um die Angabe mehrerer Zertifikate zu ermöglichen: ClientSigningCertificate, ClientEncryptingCertificate, ServiceSigningCertificate und ServiceEncryptingCertificate.Implement four new properties to allow multiple certificates specification: ClientSigningCertificate, ClientEncryptingCertificate, ServiceSigningCertificate, and ServiceEncryptingCertificate. Überschreiben Sie auch die CreateSecurityTokenManager-Methode, damit eine Instanz der im nächsten Schritt eingerichteten benutzerdefinierten ServiceCredentialsSecurityTokenManager-Klasse zurückgegeben wird.Also override the CreateSecurityTokenManager method to return an instance of the customized ServiceCredentialsSecurityTokenManager class that is defined in the next step.

    public class MyServiceCredentials : ServiceCredentials
    {
        X509Certificate2 clientSigningCert;
        X509Certificate2 clientEncryptingCert;
        X509Certificate2 serviceSigningCert;
        X509Certificate2 serviceEncryptingCert;
    
        public MyServiceCredentials()
        {
        }
    
        protected MyServiceCredentials(MyServiceCredentials other)
            : base(other)
        {
            this.clientEncryptingCert = other.clientEncryptingCert;
            this.clientSigningCert = other.clientSigningCert;
            this.serviceEncryptingCert = other.serviceEncryptingCert;
            this.serviceSigningCert = other.serviceSigningCert;
        }
    
        public X509Certificate2 ClientSigningCertificate
        {
            get
            {
                return this.clientSigningCert;
            }
            set
            {
                this.clientSigningCert = value;
            }
        }
    
        public X509Certificate2 ClientEncryptingCertificate
        {
            get
            {
                return this.clientEncryptingCert;
            }
            set
            {
                this.clientEncryptingCert = value;
            }
        }
    
        public X509Certificate2 ServiceSigningCertificate
        {
            get
            {
                return this.serviceSigningCert;
            }
            set
            {
                this.serviceSigningCert = value;
            }
        }
    
        public X509Certificate2 ServiceEncryptingCertificate
        {
            get
            {
                return this.serviceEncryptingCert;
            }
            set
            {
                this.serviceEncryptingCert = value;
            }
        }
    
        public override SecurityTokenManager CreateSecurityTokenManager()
        {
            return new MyServiceCredentialsSecurityTokenManager(this);
        }
    
        protected override ServiceCredentials CloneCore()
        {
            return new MyServiceCredentials(this);
        }
    }
    
    Public Class MyServiceCredentials
        Inherits ServiceCredentials
    
        Private clientSigningCert As X509Certificate2
        Private clientEncryptingCert As X509Certificate2
        Private serviceSigningCert As X509Certificate2
        Private serviceEncryptingCert As X509Certificate2
    
        Public Sub New()
        End Sub
    
        Protected Sub New(ByVal other As MyServiceCredentials)
            MyBase.New(other)
            Me.clientEncryptingCert = other.clientEncryptingCert
            Me.clientSigningCert = other.clientSigningCert
            Me.serviceEncryptingCert = other.serviceEncryptingCert
            Me.serviceSigningCert = other.serviceSigningCert
        End Sub
    
        Public Property ClientSigningCertificate() As X509Certificate2
            Get
                Return Me.clientSigningCert
            End Get
            Set(ByVal value As X509Certificate2)
                Me.clientSigningCert = value
            End Set
        End Property
    
        Public Property ClientEncryptingCertificate() As X509Certificate2
            Get
                Return Me.clientEncryptingCert
            End Get
            Set(ByVal value As X509Certificate2)
                Me.clientEncryptingCert = value
            End Set
        End Property
    
        Public Property ServiceSigningCertificate() As X509Certificate2
            Get
                Return Me.serviceSigningCert
            End Get
            Set(ByVal value As X509Certificate2)
                Me.serviceSigningCert = value
            End Set
        End Property
    
        Public Property ServiceEncryptingCertificate() As X509Certificate2
            Get
                Return Me.serviceEncryptingCert
            End Get
            Set(ByVal value As X509Certificate2)
                Me.serviceEncryptingCert = value
            End Set
        End Property
    
        Public Overrides Function CreateSecurityTokenManager() As SecurityTokenManager
            Return New MyServiceCredentialsSecurityTokenManager(Me)
        End Function
    
        Protected Overrides Function CloneCore() As ServiceCredentials
            Return New MyServiceCredentials(Me)
        End Function
    
    End Class
    
  4. Definieren Sie einen neuen Dienstsicherheitstoken-Manager, der von der ServiceCredentialsSecurityTokenManager-Klasse erbt.Define a new service security token manager that inherits from the ServiceCredentialsSecurityTokenManager class. Überschreiben Sie die CreateSecurityTokenProvider-Methode, um anhand der angegebenen Nachrichtenrichtung und Schlüsselverwendung einen entsprechenden Sicherheitstokenanbieter zu erstellen.Override the CreateSecurityTokenProvider method to create an appropriate security token provider given the passed-in message direction and key usage.

    internal class MyServiceCredentialsSecurityTokenManager : 
        ServiceCredentialsSecurityTokenManager
    {
        MyServiceCredentials credentials;
    
        public MyServiceCredentialsSecurityTokenManager(
            MyServiceCredentials credentials)
            : base(credentials)
        {
            this.credentials = credentials;
        }
    
        public override SecurityTokenProvider CreateSecurityTokenProvider(
            SecurityTokenRequirement requirement)
        {
            SecurityTokenProvider result = null;
            if (requirement.TokenType == SecurityTokenTypes.X509Certificate)
            {
                MessageDirection direction = requirement.
                    GetProperty<MessageDirection>(
                    ServiceModelSecurityTokenRequirement.
                    MessageDirectionProperty);
                if (direction == MessageDirection.Input)
                {
                    if (requirement.KeyUsage == SecurityKeyUsage.Exchange)
                    {
                        result = new X509SecurityTokenProvider(
                            credentials.ServiceEncryptingCertificate);
                    }
                    else
                    {
                        result = new X509SecurityTokenProvider(
                            credentials.ClientSigningCertificate);
                    }
                }
                else
                {
                    if (requirement.KeyUsage == SecurityKeyUsage.Signature)
                    {
                        result = new X509SecurityTokenProvider(
                            credentials.ServiceSigningCertificate);
                    }
                    else
                    {
                        result = new X509SecurityTokenProvider(
                            credentials.ClientEncryptingCertificate);
                    }
                }
            }
            else
            {
                result = base.CreateSecurityTokenProvider(requirement);
            }
            return result;
        }
    }
    
    Friend Class MyServiceCredentialsSecurityTokenManager
        Inherits ServiceCredentialsSecurityTokenManager
    
        Private credentials As MyServiceCredentials
    
        Public Sub New(ByVal credentials As MyServiceCredentials)
            MyBase.New(credentials)
            Me.credentials = credentials
        End Sub
    
        Public Overrides Function CreateSecurityTokenProvider(ByVal requirement As SecurityTokenRequirement) As SecurityTokenProvider
            Dim result As SecurityTokenProvider = Nothing
            If requirement.TokenType = SecurityTokenTypes.X509Certificate Then
                Dim direction = requirement.GetProperty(Of MessageDirection)(ServiceModelSecurityTokenRequirement.MessageDirectionProperty)
                If direction = MessageDirection.Input Then
                    If requirement.KeyUsage = SecurityKeyUsage.Exchange Then
                        result = New X509SecurityTokenProvider(credentials.ServiceEncryptingCertificate)
                    Else
                        result = New X509SecurityTokenProvider(credentials.ClientSigningCertificate)
                    End If
                Else
                    If requirement.KeyUsage = SecurityKeyUsage.Signature Then
                        result = New X509SecurityTokenProvider(credentials.ServiceSigningCertificate)
                    Else
                        result = New X509SecurityTokenProvider(credentials.ClientEncryptingCertificate)
                    End If
                End If
            Else
                result = MyBase.CreateSecurityTokenProvider(requirement)
            End If
            Return result
        End Function
    
    End Class
    

So verwenden Sie mehrere Zertifikate über den ClientTo use multiple certificates on the client

  1. Erstellen Sie eine benutzerdefinierte Bindung.Create a custom binding. Das Sicherheitsbindungselement muss im Duplexmodus ausgeführt werden, damit für Anforderungen und Antworten verschiedene Sicherheitstokenanbieter zur Verfügung stehen können.The security binding element must operate in duplex mode to allow different security token providers to be present for requests and responses. Verwenden Sie dazu einen duplexfähigen Transport oder CompositeDuplexBindingElement, wie im folgenden Code veranschaulicht.One way to do this is to use a duplex-capable transport or to use the CompositeDuplexBindingElement as shown in the following code. Verknüpfen Sie den angepassten IdentityVerifier, der im nächsten Schritt definiert wird, mit dem Sicherheitsbindungselement.Link the customized IdentityVerifier which is defined in the next step to the security binding element. Ersetzen Sie die standardmäßigen Clientanmeldeinformationen mit den angepassten Clientanmeldeinformationen, die zuvor erstellt werden.Replace the default client credentials with the customized client credentials previously created.

                EndpointAddress serviceEndpoint = 
                    new EndpointAddress(new Uri("http://localhost:6060/service"));
    
                CustomBinding binding = new CustomBinding();
    
                AsymmetricSecurityBindingElement securityBE = 
                    SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(
                    MessageSecurityVersion.
    WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
                // Add a custom IdentityVerifier because the service uses two certificates 
                // (one for signing and one for encryption) and an endpoint identity that 
                // contains a single identity claim.
                securityBE.LocalClientSettings.IdentityVerifier = new MyIdentityVerifier();
                binding.Elements.Add(securityBE);
    
                CompositeDuplexBindingElement compositeDuplex = 
                    new CompositeDuplexBindingElement();
                compositeDuplex.ClientBaseAddress = new Uri("http://localhost:6061/client");
                binding.Elements.Add(compositeDuplex);
    
                binding.Elements.Add(new OneWayBindingElement());
                
                binding.Elements.Add(new HttpTransportBindingElement());
                
                using (ChannelFactory<IMyServiceChannel> factory = 
                    new ChannelFactory<IMyServiceChannel>(binding, serviceEndpoint))
                {
                    MyClientCredentials credentials = new MyClientCredentials();
                    SetupCertificates(credentials);
                    factory.Endpoint.Behaviors.Remove(typeof(ClientCredentials));
                    factory.Endpoint.Behaviors.Add(credentials);
    
                    IMyServiceChannel channel = factory.CreateChannel();
                    Console.WriteLine(channel.Hello("world"));
                    channel.Close();
                }
    
    Dim serviceEndpoint As New EndpointAddress(New Uri("http://localhost:6060/service"))
    
    Dim binding As New CustomBinding()
    
    Dim securityBE = SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10)
    ' Add a custom IdentityVerifier because the service uses two certificates 
    ' (one for signing and one for encryption) and an endpoint identity that 
    ' contains a single identity claim.
    securityBE.LocalClientSettings.IdentityVerifier = New MyIdentityVerifier()
    binding.Elements.Add(securityBE)
    
    Dim compositeDuplex As New CompositeDuplexBindingElement()
    
    compositeDuplex.ClientBaseAddress = New Uri("http://localhost:6061/client")
    
    With binding.Elements
        .Add(compositeDuplex)
        .Add(New OneWayBindingElement())
        .Add(New HttpTransportBindingElement())
    End With
    
    Using factory As New ChannelFactory(Of IMyServiceChannel)(binding, serviceEndpoint)
        Dim credentials As New MyClientCredentials()
        SetupCertificates(credentials)
    
        With factory.Endpoint.Behaviors
            .Remove(GetType(ClientCredentials))
            .Add(credentials)
        End With
    
        Dim channel = factory.CreateChannel()
        Console.WriteLine(channel.Hello("world"))
        channel.Close()
    End Using
    
  2. Definieren Sie einen benutzerdefinierten IdentityVerifier.Define a custom IdentityVerifier. Der Dienst verfügt über mehrere Identitäten, da zum Verschlüsseln der Anforderung und zum Signieren der Antwort verschiedene Zertifikate verwendet werden.The service has multiple identities because different certificates are used to encrypt the request and to sign the response.

    Hinweis

    Im folgenden Beispiel führt die zur Verfügung gestellte benutzerdefinierte Identitätsprüfung zu Demonstrationszwecken keine Überprüfung der Endpunktidentität durch.In the following sample, the provided custom identity verifier does not perform any endpoint identity checking for demonstration purposes. Dies ist keine empfohlene Vorgehensweise für Produktionscode.This is not recommended practice for production code.

    class MyIdentityVerifier : IdentityVerifier
    {
        IdentityVerifier defaultVerifier;
    
        public MyIdentityVerifier()
        {
            this.defaultVerifier = IdentityVerifier.CreateDefault();
        }
    
        public override bool CheckAccess(EndpointIdentity identity, 
            AuthorizationContext authContext)
        {
            // The following implementation is for demonstration only, and
            // does not perform any checks regarding EndpointIdentity.
            // Do not use this for production code.
            return true;
        }
    
        public override bool TryGetIdentity(EndpointAddress reference, 
            out EndpointIdentity identity)
        {
            return this.defaultVerifier.TryGetIdentity(reference, out identity);
        }
    }
    
    
    Friend Class MyIdentityVerifier
        Inherits IdentityVerifier
    
        Private defaultVerifier As IdentityVerifier
    
        Public Sub New()
            Me.defaultVerifier = IdentityVerifier.CreateDefault()
        End Sub
    
        Public Overrides Function CheckAccess(ByVal identity As EndpointIdentity, ByVal authContext As AuthorizationContext) As Boolean
            ' The following implementation is for demonstration only, and
            ' does not perform any checks regarding EndpointIdentity.
            ' Do not use this for production code.
            Return True
        End Function
    
        Public Overrides Function TryGetIdentity(ByVal reference As EndpointAddress, <System.Runtime.InteropServices.Out()> ByRef identity As EndpointIdentity) As Boolean
            Return Me.defaultVerifier.TryGetIdentity(reference, identity)
        End Function
    
    End Class
    

So verwenden Sie mehrere Zertifikate für den DienstTo use multiple certificates on the service

  1. Erstellen Sie eine benutzerdefinierte Bindung.Create a custom binding. Das Sicherheitsbindungselement muss im Duplexmodus ausgeführt werden, damit für Anforderungen und Antworten verschiedene Sicherheitstokenanbieter zur Verfügung stehen können.The security binding element must operate in a duplex mode to allow different security token providers to be present for requests and responses. Verwenden Sie dazu ebenso wie mit dem Client einen duplexfähigen Transport oder CompositeDuplexBindingElement, wie im folgenden Code veranschaulicht.As with the client, use a duplex-capable transport or use CompositeDuplexBindingElement as shown in the following code. Ersetzen Sie die standardmäßigen Dienstanmeldeinformationen mit den angepassten Dienstanmeldeinformationen, die zuvor erstellt werden.Replace the default service credentials with the customized service credentials previously created.

                Uri serviceEndpoint = new Uri("http://localhost:6060/service");
                using (ServiceHost host = new ServiceHost(typeof(Service), serviceEndpoint))
                {
                    CustomBinding binding = new CustomBinding();
                    binding.Elements.Add(SecurityBindingElement.
                        CreateMutualCertificateDuplexBindingElement(
    MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10));
                    binding.Elements.Add(new CompositeDuplexBindingElement());
                    binding.Elements.Add(new OneWayBindingElement());
                    binding.Elements.Add(new HttpTransportBindingElement());
    
                    MyServiceCredentials credentials = new MyServiceCredentials();
                    SetupCertificates(credentials);
                    host.Description.Behaviors.Remove(typeof(ServiceCredentials));
                    host.Description.Behaviors.Add(credentials);
    
                    ServiceEndpoint endpoint = host.AddServiceEndpoint(
                        typeof(IMyService), binding, "");
                    host.Open();
    
                    Console.WriteLine("Service started, press ENTER to stop...");
                    Console.ReadLine();
                }
    
    Dim serviceEndpoint As New Uri("http://localhost:6060/service")
    Using host As New ServiceHost(GetType(Service), serviceEndpoint)
        Dim binding As New CustomBinding()
    
        With binding.Elements
            .Add(SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10))
            .Add(New CompositeDuplexBindingElement())
            .Add(New OneWayBindingElement())
            .Add(New HttpTransportBindingElement())
        End With
    
        Dim credentials As New MyServiceCredentials()
        SetupCertificates(credentials)
        With host.Description.Behaviors
            .Remove(GetType(ServiceCredentials))
            .Add(credentials)
        End With
    
        Dim endpoint = host.AddServiceEndpoint(GetType(IMyService), binding, "")
        host.Open()
    
        Console.WriteLine("Service started, press ENTER to stop...")
        Console.ReadLine()
    End Using
    

Siehe auchSee Also

ClientCredentials
ServiceCredentials
ClientCredentialsSecurityTokenManager
ServiceCredentialsSecurityTokenManager
IdentityVerifier
Exemplarische Vorgehensweise: Erstellen von benutzerdefinierten Client- und DienstanmeldeinformationenWalkthrough: Creating Custom Client and Service Credentials