<authentication> of <serviceCertificate> 元素<authentication> of <serviceCertificate> Element

指定客户端代理用于对使用 SSL/TLS 协商获取的服务证书进行身份验证的设置。Specifies the settings used by the client proxy to authenticate service certificates that are obtained using SSL/TLS negotiation.

<configuration>
  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior>
          <clientCredentials>
            <serviceCertificate>
              <authentication>

语法Syntax

<authentication customCertificateValidatorType="String"
                certificateValidationMode="None/PeerTrust/ChainTrust/PeerOrChainTrust/Custom"
                revocationMode="NoCheck/Online/Offline"
                trustedStoreLocation="LocalMachine/CurrentUser" />

特性和元素Attributes and Elements

以下几节描述了特性、子元素和父元素。The following sections describe attributes, child elements, and parent elements

特性Attributes

属性Attribute 描述Description
customCertificateValidatorTypecustomCertificateValidatorType 字符串。String. 一个用于验证自定义类型的类型和程序集。A type and assembly used to validate a custom type.
certificateValidationModecertificateValidationMode 指定用来验证凭据的三种模式之一。Specifies one of three modes used to validate credentials. 如果设置为 Custom,则还必须提供 customCertificateValidator。If set to Custom, then a customCertificateValidator must also be supplied. 默认为 ChainTrustThe default is ChainTrust.
revocationModerevocationMode 用于检查吊销证书列表 (CRL) 的一种模式。One of the modes used to check for a revoked certificate lists (CRL). 默认为 OnlineThe default is Online.
trustedStoreLocationtrustedStoreLocation 两个系统存储位置之一:LocalMachineCurrentUserOne of the two system store locations: LocalMachine or CurrentUser. 在向客户端协商服务证书时使用此值。This value is used when a service certificate is negotiated to the client. 针对指定存储位置中的 " 受信任人 " 存储执行验证。Validation is performed against the Trusted People store in the specified store location. 默认为 CurrentUserThe default is CurrentUser.

customCertificateValidator 属性customCertificateValidator Attribute

Value 说明Description
字符串String 指定类型名称和程序集以及用于查找类型的其他数据。Specifies the type name and assembly and other data used to find the type.

certificateValidationMode 属性certificateValidationMode Attribute

Value 描述Description
枚举Enumeration 下列值之一:None、PeerTrust、ChainTrust、PeerOrChainTrust 和 Custom。One of the following values: None, PeerTrust, ChainTrust, PeerOrChainTrust, Custom.

有关详细信息,请参阅使用 证书For more information, see Working with Certificates.

revocationMode 属性revocationMode Attribute

Value 描述Description
枚举Enumeration 下列值之一:NoCheck、Online 和 Offline。One of the following values: NoCheck, Online, Offline.

有关详细信息,请参阅使用 证书For more information, see Working with Certificates.

trustedStoreLocation 属性trustedStoreLocation Attribute

Value 描述Description
枚举Enumeration 下列值之一:LocalMachine 或 CurrentUser。One of the following values: LocalMachine or CurrentUser. 默认值为 CurrentUser。The default is CurrentUser. 如果客户端应用程序在系统帐户下运行,则证书通常位于 LocalMachine 中。If the client application is running under a system account, then the certificate is typically under LocalMachine. 如果客户端应用程序在用户帐户下运行,则证书通常位于 CurrentUser 中。If the client application is running under a user account, then the certificate is typically in CurrentUser.

子元素Child Elements

无。None.

父元素Parent Elements

元素Element 描述Description
<serviceCertificate> 指定客户端对服务进行身份验证时使用的证书。Specifies a certificate to use when authenticating a service to the client.

备注Remarks

此配置元素的 certificateValidationMode 属性指定用于对证书进行身份验证的信任级别。The certificateValidationMode attribute of this configuration element specifies the level of trust used to authenticate certificates. 默认情况下,该级别设置为 ChainTrust,它指定每个证书都必须存在于某个证书层次结构中,而该层次结构以位于证书链顶端的受信任的证书颁发机构结束。By default, the level is set to ChainTrust, which specifies that each certificate must be found in a hierarchy of certificates ending in a trusted certification authority at the top of the chain. 这是最安全的模式。This is the most secure mode. 您还可以将此值设置为 PeerOrChainTrust,该值指定受信任的链中的证书以及自行颁发的证书(对等信任)都被接受。You can also set the value to PeerOrChainTrust, which specifies that self-issued certificates (peer trust) are accepted as well as certificates that are in a trusted chain. 因为不需要从受信任的证书颁发机构那里购买自行颁发的证书,所以可以在开发和调试客户端和服务时使用此值。This value is used when developing and debugging clients and services because self-issued certificates need not be purchased from a trusted authority. 在部署客户端时,请改用 ChainTrust 值。When deploying a client, use the ChainTrust value instead. 您也可以将该值设置为 CustomNoneYou can also set the value to Custom or None. 若要使用 Custom 值,还必须将 customCertificateValidator 属性设置为程序集和用于验证证书的类型。To use the Custom value, you must also set the customCertificateValidator attribute to an assembly and type used to validate the certificate. 若要创建您自己的自定义验证程序,必须从 X509CertificateValidator 抽象类进行继承。To create your own custom validator, you must inherit from the abstract X509CertificateValidator class. 有关详细信息,请参阅 如何:创建使用自定义证书验证程序的服务For more information, see How to: Create a Service that Employs a Custom Certificate Validator.

revocationMode 属性指定检查证书是否已吊销的方式。The revocationMode attribute specifies how certificates are checked for revocation. 默认值为 online,指示将自动检查证书是否已吊销。The default is online which indicates that certificates will be checked automatically for revocation. 有关详细信息,请参阅使用 证书For more information, see Working with Certificates.

示例Example

以下示例执行两项任务。The following example does two tasks. 它首先指定一个服务证书,以便客户端与域名位于 HTTP 协议的终结点进行通信时使用 www.contoso.comIt first specifies a service certificate for the client to use when communicating with endpoints whose domain name is www.contoso.com over the HTTP protocol. 然后,它指定了在身份验证过程中使用的吊销模式和存储位置。Second, it specifies the revocation mode and store location used during authentication.

<serviceCertificate>
  <defaultCertificate findValue="www.contoso.com"
                      storeLocation="LocalMachine"
                      storeName="TrustedPeople"
                      x509FindType="FindByIssuerDistinguishedName" />
  <scopedCertificates>
     <add targetUri="http://www.contoso.com"
          findValue="www.contoso.com"
          storeLocation="LocalMachine"
          storeName="Root"
          x509FindType="FindByIssuerName" />
  </scopedCertificates>
  <authentication revocationMode="Online"
                  trustedStoreLocation="LocalMachine" />
</serviceCertificate>

请参阅See also