HOW TO:建立開發時要使用的暫時憑證How to: Create Temporary Certificates for Use During Development

在開發安全的服務或用戶端會使用 Windows Communication Foundation (WCF) 時,則通常需要提供來做為認證的 X.509 憑證。When developing a secure service or client using Windows Communication Foundation (WCF), it is often necessary to supply an X.509 certificate to be used as a credential. 憑證通常是憑證鏈結的一部分,在電腦的 [受信任的根憑證授權單位] 存放區中有根授權。The certificate typically is part of a chain of certificates with a root authority found in the Trusted Root Certification Authorities store of the computer. 具有憑證鏈結可讓您設定一組憑證的範圍,其中根授權通常來自您的組織或企業單位。Having a certificate chain enables you to scope a set of certificates where typically the root authority is from your organization or business unit. 如果要在開發期間進行模擬,您可以建立兩種憑證以滿足安全性需求。To emulate this at development time, you can create two certificates to satisfy the security requirements. 第一種是放在 [受信任的根憑證授權單位] 存放區中的自我簽署憑證,而第二種憑證是從第一種建立的,並放在個人存放區或本機位置,或目前使用者位置的個人存放區。The first is a self-signed certificate that is placed in the Trusted Root Certification Authorities store, and the second certificate is created from the first and is placed in either the Personal store of the Local Machine location, or the Personal store of the Current User location. 本主題將逐步帶領您使用由 SDK 所提供的憑證建立工具 (MakeCert.exe) .NET Framework.NET Framework 來建立這兩種憑證。This topic walks through the steps to create these two certificates using the Certificate Creation Tool (MakeCert.exe), which is provided by the .NET Framework.NET Framework SDK.

重要

憑證建立工具所產生的憑證僅針對測試用途提供。The certificates the Certification Creation tool generates are provided for testing purposes only. 當部署服務或用戶端時,請確定使用由憑證授權單位所提供的適當憑證。When deploying a service or client, be sure to use an appropriate certificate provided by a certification authority. 這可能是來自您組織中的 Windows Server 2003Windows Server 2003 憑證伺服器或協力廠商。This could either be from a Windows Server 2003Windows Server 2003 certificate server in your organization or a third party.

根據預設, Makecert.exe (憑證建立工具)建立的憑證的根授權稱為 「 根代理者 。 」By default, the Makecert.exe (Certificate Creation Tool) creates certificates whose root authority is called "Root Agency ." 由於「根代理者」不是在 [受信任的根憑證授權單位] 存放區中,因此會讓這些憑證變得不安全。Because the "Root Agency" is not in the Trusted Root Certification Authorities store, this makes these certificates insecure. 建立位於 [受信任的根憑證授權單位] 存放區中的自我簽署憑證,可讓您建立一個更能夠模擬您開發環境的開發環境。Creating a self-signed certificate that is placed in the Trusted Root Certification Authorities store enables you to create a development environment that more closely simulates your deployment environment.

如需有關建立及使用憑證的詳細資訊,請參閱使用憑證For more information about creating and using certificates, see Working with Certificates. 如需使用憑證做為認證的詳細資訊,請參閱保護服務和用戶端For more information about using a certificate as a credential, see Securing Services and Clients. 如需有關使用 Microsoft Authenticode 技術的教學課程,請參閱 Authenticode 概觀與教學課程 (英文)For a tutorial about using Microsoft Authenticode technology, see Authenticode Overviews and Tutorials.

建立自我簽署根授權憑證及匯出私密金鑰To create a self-signed root authority certificate and export the private key

  1. 請使用 MakeCert.exe 工具搭配下列參數:Use the MakeCert.exe tool with the following switches:

    1. -n subjectName-n subjectName. 指定主體名稱。Specifies the subject name. 慣例是使用 "CN = " 做為主體名稱的前置詞,代表「一般名稱」。The convention is to prefix the subject name with "CN = " for "Common Name".

    2. -r.-r. 指定憑證為自我簽署的。Specifies that the certificate will be self-signed.

    3. -sv privateKeyFile.-sv privateKeyFile. 指定含有私密金鑰容器的檔案。Specifies the file that contains the private key container.

    例如,下列命令會建立主體名稱為 "CN=TempCA" 的自我簽署憑證。For example, the following command creates a self-signed certificate with a subject name of "CN=TempCA."

    makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer  
    

    您會收到提供密碼以保護私密金鑰的提示。You will be prompted to provide a password to protect the private key. 當建立由這個根憑證簽署的憑證時,需要這個密碼。This password is required when creating a certificate signed by this root certificate.

建立由根授權憑證簽署的新憑證To create a new certificate signed by a root authority certificate

  1. 請使用 MakeCert.exe 工具搭配下列參數:Use the MakeCert.exe tool with the following switches:

    1. -sk subjectKey.-sk subjectKey. 主體的金鑰容器的位置,其中包含私密金鑰。The location of the subject's key container that holds the private key. 如果金鑰容器不存在,便會建立一個。If a key container does not exist, one is created. 如果 -sk 和 -sv 選項均未使用,根據預設,便會建立稱為 JoeSoft 的金鑰容器。If neither of the -sk or -sv options is used, a key container called JoeSoft is created by default.

    2. -n subjectName.-n subjectName. 指定主體名稱。Specifies the subject name. 慣例是使用 "CN = " 做為主體名稱的前置詞,代表「一般名稱」。The convention is to prefix the subject name with "CN = " for "Common Name".

    3. -iv issuerKeyFile.-iv issuerKeyFile. 指定簽發者的私密金鑰檔。Specifies the issuer's private key file.

    4. -ic issuerCertFile.-ic issuerCertFile. 指定簽發者的憑證的位置。Specifies the location of the issuer's certificate.

    例如,下列命令會使用簽發者的私密金鑰,建立由主體名稱為 TempCA"CN=SignedByCA" 根授權憑證簽署的憑證。For example, the following command creates a certificate signed by the TempCA root authority certificate with a subject name of "CN=SignedByCA" using the private key of the issuer.

    makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr currentuser -ss My  
    

在受信任的根憑證授權單位存放區中安裝憑證Installing a Certificate in the Trusted Root Certification Authorities Store

在建立自我簽署憑證之後,您就可以將它安裝在 [受信任的根憑證授權單位] 存放區中。Once a self-signed certificate is created, you can install it in the Trusted Root Certification Authorities store. 此時任何使用憑證簽署的憑證都受到電腦的信任。Any certificates that are signed with the certificate at this point are trusted by the computer. 因此,當您不再需要憑證時,請立刻從存放區中將其刪除。For this reason, delete the certificate from the store as soon as you no longer need it. 當您刪除這個根授權憑證時,使用該憑證簽署的所有其他憑證都會變成未經授權的。When you delete this root authority certificate, all other certificates that signed with it become unauthorized. 根授權憑證只是一種機制,可依需要設定一組憑證的範圍。Root authority certificates are simply a mechanism whereby a group of certificates can be scoped as necessary. 例如,在對等應用程式中,通常不需要根授權,因為您只是藉由個體提供的憑證而信任其身分識別。For example, in peer-to-peer applications, there is typically no need for a root authority because you simply trust the identity of an individual by its supplied certificate.

在受信任的根憑證授權單位中安裝自我簽署憑證To install a self-signed certificate in the Trusted Root Certification Authorities

  1. 請開啟憑證嵌入式管理單元。Open the certificate snap-in. 如需詳細資訊,請參閱How to: 使用 MMC 嵌入式管理單元檢視憑證For more information, see How to: View Certificates with the MMC Snap-in.

  2. 開啟資料夾以儲存憑證,可以是 [ 本機電腦 ] 或 [ 目前使用者]。Open the folder to store the certificate, either the Local Computer or the Current User.

  3. 開啟 [ 受信任的根憑證授權單位 ] 資料夾。Open the Trusted Root Certification Authorities folder.

  4. 用滑鼠右鍵依序按一下 [ 憑證 ] 資料夾、[ 所有工作] 和 [ 匯入]。Right-click the Certificates folder and click All Tasks, then click Import.

  5. 請依照螢幕上的精靈指示,將 TempCa.cer 匯入存放區中。Follow the on-screen wizard instructions to import the TempCa.cer into the store.

搭配 WCF 使用憑證Using Certificates With WCF

設定暫時憑證之後,您可以用它來開發可將憑證指定為用戶端認證類型的 WCF 方案。Once you have set up the temporary certificates, you can use them to develop WCF solutions that specify certificates as a client credential type. 例如,下列 XML 組態會指定訊息安全性,而且將憑證指定為用戶端認證類型。For example, the following XML configuration specifies message security and a certificate as the client credential type.

若要將憑證指定為用戶端認證類型To specify a certificate as the client credential type

  • 在服務的組態檔中,使用下列 XML 將安全性模式設定為訊息,而且將用戶端認證類型設定為憑證。In the configuration file for a service, use the following XML to set the security mode to message, and the client credential type to certificate.

    <bindings>       
      <wsHttpBinding>  
        <binding name="CertificateForClient">  
          <security>  
            <message clientCredentialType="Certificate" />  
          </security>  
        </binding>  
      </wsHttpBinding>  
    </bindings>  
    

在用戶端組態檔中,使用下列 XML 指定憑證位於使用者的存放區,而且可以找到 SubjectName 欄位中搜尋值"CohoWinery"。In the configuration file for a client, use the following XML to specify that the certificate is found in the user’s store, and can be found by searching the SubjectName field for the value "CohoWinery."

<behaviors>  
  <endpointBehaviors>  
    <behavior name="CertForClient">  
      <clientCredentials>  
        <clientCertificate findValue="CohoWinery" x509FindType="FindBySubjectName" />  
       </clientCredentials>  
     </behavior>  
   </endpointBehaviors>  
</behaviors>  

如需在 WCF 中使用憑證的詳細資訊,請參閱 Working with CertificatesFor more information about using certificates in WCF, see Working with Certificates.

.NET Framework 安全性.NET Framework Security

請用滑鼠右鍵按一下憑證,然後按一下 [ 刪除 ],以確定從 [ 受信任的根憑證授權單位 ] 和 [ 個人] 資料夾中刪除暫時的根授權憑證。Be sure to delete any temporary root authority certificates from the Trusted Root Certification Authorities and Personal folders by right-clicking the certificate, then clicking Delete.

另請參閱See Also

使用憑證Working with Certificates
如何:使用 MMC 嵌入式管理單元來檢視憑證How to: View Certificates with the MMC Snap-in
保護服務和用戶端的安全Securing Services and Clients