如何:使用 SSL 证书配置端口How to: Configure a Port with an SSL Certificate

当使用使用传输安全的WSHttpBinding类创建自承载 Windows Communication Foundation (WCF)服务时,还必须使用 x.509 证书配置端口。When creating a self-hosted Windows Communication Foundation (WCF) service with the WSHttpBinding class that uses transport security, you must also configure a port with an X.509 certificate. 如果不是在创建自承载服务,可以在 Internet 信息服务 (IIS) 上承载服务。If you are not creating a self-hosted service, you can host your service on Internet Information Services (IIS). 有关详细信息,请参阅HTTP 传输安全For more information, see HTTP Transport Security.

若要配置端口,使用的工具取决于计算机运行的操作系统。To configure a port, the tool you use depends on the operating system that is running on your machine.

如果运行的是 Windows Server 2003Windows Server 2003Windows XPWindows XP,则使用 HttpCfg.exe 工具。If you are running Windows Server 2003Windows Server 2003 or Windows XPWindows XP, use the HttpCfg.exe tool. Windows Server 2003Windows Server 2003 中已安装该工具。With Windows Server 2003Windows Server 2003 this tool is installed. 利用Windows XPWindows XP,你可以在Windows XP Service Pack 2 支持工具中下载该工具。With Windows XPWindows XP, you can download the tool at Windows XP Service Pack 2 Support Tools. 有关详细信息,请参阅Httpcfg.exe 概述For more information, see Httpcfg Overview. Windows 支持工具文档说明了 httpcfg.exe 工具的语法。The Windows Support Tools documentation explains the syntax for the Httpcfg.exe tool.

如果运行的是 Windows VistaWindows Vista,则使用已安装的 Netsh.exe 工具。If you are running Windows VistaWindows Vista, use the Netsh.exe tool that is already installed.

本主题介绍如何完成以下一些过程:This topic describes how to accomplish several procedures:

  • 确定计算机当前的端口配置。Determining a computer's current port configuration.

  • 获取证书的指纹(以下两个过程需要证书指纹)。Getting a certificate's thumbprint (necessary for the following two procedures).

  • 将 SSL 证书绑定到端口配置。Binding an SSL certificate to a port configuration.

  • 将 SSL 证书绑定到端口配置并支持客户端证书。Binding an SSL certificate to a port configuration and supporting client certificates.

  • 从某个端口号删除 SSL 证书。Deleting an SSL certificate from a port number.

请注意,修改存储于计算机上的证书需要管理特权。Note that modifying certificates stored on the computer requires administrative privileges.

确定如何配置端口To determine how ports are configured

  1. Windows Server 2003Windows Server 2003Windows XPWindows XP中,使用 httpcfg.exe 工具查看当前端口配置,使用查询ssl开关,如以下示例中所示。In Windows Server 2003Windows Server 2003 or Windows XPWindows XP, use the HttpCfg.exe tool to view the current port configuration, using the query and ssl switches, as shown in the following example.

    httpcfg query ssl  
    
  2. Windows VistaWindows Vista 中,使用 Netsh.exe 工具查看当前端口配置,如下面的示例所示。In Windows VistaWindows Vista, use the Netsh.exe tool to view the current port configuration, as shown in the following example.

    netsh http show sslcert  
    

获取证书的指纹To get a certificate's thumbprint

  1. 使用证书 MMC 管理单元查找用于客户端身份验证的 X.509 证书。Use the Certificates MMC snap-in to find an X.509 certificate that has an intended purpose of client authentication. 有关详细信息,请参阅如何:用 MMC 管理单元查看证书。For more information, see How to: View Certificates with the MMC Snap-in.

  2. 访问证书的指纹。Access the certificate's thumbprint. 有关详细信息,请参阅如何:检索证书的指纹。For more information, see How to: Retrieve the Thumbprint of a Certificate.

  3. 将证书指纹复制到文本编辑器,如 Notepad。Copy the thumbprint of the certificate into a text editor, such as Notepad.

  4. 移除十六进制字符之间的所有空格。Remove all spaces between the hexadecimal characters. 完成此操作的一种方法是使用文本编辑器的“查找和替换”功能,将每个空格替换为空字符。One way to accomplish this is to use the text editor's find-and-replace feature and replace each space with a null character.

将 SSL 证书绑定至端口号To bind an SSL certificate to a port number

  1. Windows Server 2003Windows Server 2003Windows XPWindows XP 中,对安全套接字层 (SSL) 存储区使用 HttpCfg.exe 工具的“set”命令将证书绑定至端口号。In Windows Server 2003Windows Server 2003 or Windows XPWindows XP, use the HttpCfg.exe tool in "set" mode on the Secure Sockets Layer (SSL) store to bind the certificate to a port number. 该工具使用指纹识别证书,如下面的示例所示。The tool uses the thumbprint to identify the certificate, as shown in the following example.

    httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6  
    
    • -I开关的语法IP为:port ,指示该工具将证书设置为计算机的端口8012。The -i switch has the syntax of IP:port and instructs the tool to set the certificate to port 8012 of the computer. 另外,也可将端口号前面的四个零替换为计算机的实际 IP 地址。Optionally, the four zeroes that precede the number can also be replaced by the actual IP address of the computer.

    • -H开关指定证书的指纹。The -h switch specifies the thumbprint of the certificate.

  2. Windows VistaWindows Vista 中使用 Netsh.exe 工具,如下面的示例所示。In Windows VistaWindows Vista, use the Netsh.exe tool, as shown in the following example.

    netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF}   
    
    • Certhash参数指定证书的指纹。The certhash parameter specifies the thumbprint of the certificate.

    • Ipport参数指定 IP 地址和端口,以及与所述的 httpcfg.exe 工具的 -i开关相同的功能。The ipport parameter specifies the IP address and port, and functions just like the -i switch of the Httpcfg.exe tool described.

    • Appid参数是可用于标识所属应用程序的 GUID。The appid parameter is a GUID that can be used to identify the owning application.

将 SSL 证书绑定至端口号并支持客户端证书To bind an SSL certificate to a port number and support client certificates

  1. Windows Server 2003Windows Server 2003Windows XPWindows XP 中,若要支持在传输层使用 X.509 证书进行身份验证的客户端,请按照前面的步骤进行操作,但要向 HttpCfg.exe 另外传递一个命令行参数,如下面的示例所示。In Windows Server 2003Windows Server 2003 or Windows XPWindows XP, to support clients that authenticate with X.509 certificates at the transport layer, follow the preceding procedure but pass an additional command-line parameter to HttpCfg.exe, as shown in the following example.

    httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6 -f 2  
    

    -F开关的语法n为,其中 n 是1到7之间的数字。The -f switch has the syntax of n where n is a number between 1 and 7. 值为 2 可在传输层启用客户端证书,如上面的示例所示。A value of 2, as shown in the preceding example, enables client certificates at the transport layer. 值为 3 可启用客户端证书并将这些证书映射至 Windows 帐户。A value of 3 enables client certificates and maps those certificates to a Windows account. 请参见“HttpCfg.exe 帮助”以获取其他值的行为。See HttpCfg.exe Help for the behavior of other values.

  2. Windows VistaWindows Vista 中,若要支持在传输层使用 X.509 证书进行身份验证的客户端,请按照前面的步骤进行操作,但要另外提供一个参数,如下面的示例所示。In Windows VistaWindows Vista, to support clients that authenticate with X.509 certificates at the transport layer, follow the preceding procedure, but with an additional parameter, as shown in the following example.

    netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-6677-8899-AABBCCDDEEFF} clientcertnegotiation=enable  
    

删除端口号的 SSL 证书To delete an SSL certificate from a port number

  1. 使用 HttpCfg.exe 或 Netsh.exe 工具查看计算机上的端口和所有绑定的指纹。Use the HttpCfg.exe or Netsh.exe tool to see the ports and thumbprints of all bindings on the computer. 若要将信息打印到磁盘,请使用重定向字符 ">",如下面的示例中所示。To print the information to disk, use the redirection character ">", as shown in the following example.

    httpcfg query ssl>myMachinePorts.txt  
    
  2. Windows Server 2003Windows Server 2003Windows XPWindows XP中,将 httpcfg.exe 工具与deletessl关键字一起使用。In Windows Server 2003Windows Server 2003 or Windows XPWindows XP, use the HttpCfg.exe tool with the delete and ssl keywords. 使用 -i开关指定IPport number,并使用 -h开关指定指纹。Use the -i switch to specify the IP:port number, and the -h switch to specify the thumbprint.

    httpcfg delete ssl -i 0.0.0.0:8005 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6  
    
  3. Windows VistaWindows Vista 中使用 Netsh.exe 工具,如下面的示例所示。In Windows VistaWindows Vista, use the Netsh.exe tool, as shown in the following example.

    Netsh http delete sslcert ipport=0.0.0.0:8005  
    

示例Example

下面的代码演示如何使用 WSHttpBinding 类(设置为传输安全)创建自承载服务。The following code shows how to create a self-hosted service using the WSHttpBinding class set to transport security. 创建应用程序时,请指定地址中的端口号。When creating an application, specify the port number in the address.

// This string uses a function to prepend the computer name at run time.
string addressHttp = String.Format(
    "http://{0}:8080/Calculator",
    System.Net.Dns.GetHostEntry("").HostName);

WSHttpBinding b = new WSHttpBinding();
b.Security.Mode = SecurityMode.Transport;
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

// You must create an array of URI objects to have a base address.
Uri a = new Uri(addressHttp);
Uri[] baseAddresses = new Uri[] { a };

// Create the ServiceHost. The service type (Calculator) is not
// shown here.
ServiceHost sh = new ServiceHost(typeof(Calculator), baseAddresses);

// Add an endpoint to the service. Insert the thumbprint of an X.509 
// certificate found on your computer. 
Type c = typeof(ICalculator);
sh.AddServiceEndpoint(c, b, "MyCalculator");
sh.Credentials.ServiceCertificate.SetCertificate(
    StoreLocation.LocalMachine,
    StoreName.My,
    X509FindType.FindBySubjectName,
    "contoso.com");

// This next line is optional. It specifies that the client's certificate
// does not have to be issued by a trusted authority, but can be issued
// by a peer if it is in the Trusted People store. Do not use this setting
// for production code. The default is PeerTrust, which specifies that 
// the certificate must originate from a trusted certificate authority.

// sh.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
// X509CertificateValidationMode.PeerOrChainTrust;
try
{
    sh.Open();

    string address = sh.Description.Endpoints[0].ListenUri.AbsoluteUri;
    Console.WriteLine("Listening @ {0}", address);
    Console.WriteLine("Press enter to close the service");
    Console.ReadLine();
    sh.Close();
}
catch (CommunicationException ce)
{
    Console.WriteLine("A communication error occurred: {0}", ce.Message);
    Console.WriteLine();
}
catch (System.Exception exc)
{
    Console.WriteLine("An unforeseen error occurred: {0}", exc.Message);
    Console.ReadLine();
}
' This string uses a function to prepend the computer name at run time.
Dim addressHttp As String = String.Format("http://{0}:8080/Calculator", _
System.Net.Dns.GetHostEntry("").HostName)

Dim b As New WSHttpBinding()
b.Security.Mode = SecurityMode.Transport
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate

' You must create an array of URI objects to have a base address.
Dim a As New Uri(addressHttp)
Dim baseAddresses() As Uri = {a}

' Create the ServiceHost. The service type (Calculator) is not
' shown here.
Dim sh As New ServiceHost(GetType(Calculator), baseAddresses)

' Add an endpoint to the service. Insert the thumbprint of an X.509 
' certificate found on your computer. 
Dim c As Type = GetType(ICalculator)
sh.AddServiceEndpoint(c, b, "MyCalculator")
sh.Credentials.ServiceCertificate.SetCertificate( _
                StoreLocation.LocalMachine, _
                StoreName.My, _
                X509FindType.FindBySubjectName, _
                "contoso.com")

' This next line is optional. It specifies that the client's certificate
' does not have to be issued by a trusted authority, but can be issued
' by a peer if it is in the Trusted People store. Do not use this setting
' for production code. The default is PeerTrust, which specifies that 
' the certificate must originate from a trusted certificate authority.
' sh.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
' X509CertificateValidationMode.PeerOrChainTrust
Try
    sh.Open()

    Dim address As String = sh.Description.Endpoints(0).ListenUri.AbsoluteUri
    Console.WriteLine("Listening @ {0}", address)
    Console.WriteLine("Press enter to close the service")
    Console.ReadLine()
    sh.Close()
Catch ce As CommunicationException
    Console.WriteLine("A communication error occurred: {0}", ce.Message)
    Console.WriteLine()
Catch exc As System.Exception
    Console.WriteLine("An unforeseen error occurred: {0}", exc.Message)
    Console.ReadLine()
End Try

请参阅See also