在應用程式之間共用憑證Share certificates between apps

針對需要比使用者識別碼和密碼組合更安全之驗證方式的通用 Windows 平台 (UWP) 應用程式,即可使用憑證來進行驗證。Universal Windows Platform (UWP) apps that require secure authentication beyond a user Id and password combination can use certificates for authentication. 憑證驗證可在驗證使用者時提供高階的信任層級。Certificate authentication provides a high level of trust when authenticating a user. 在某些情況下,會有一組服務想驗證多個 app 的某位使用者。In some cases, a group of services will want to authenticate a user for multiple apps. 本文說明如何使用相同的憑證來驗證多個 app,以及如何提供便利的程式碼,讓使用者匯入用來存取受保護 Web 服務的憑證。This article shows how you can authenticate multiple apps using the same certificate, and how you can provide convenient code for a user to import a certificate that was provided to access secured web services.

app 可使用憑證來向 Web 服務驗證,而且多個 app 可使用憑證存放區中的單一憑證來驗證同一個使用者。Apps can authenticate to a web service using a certificate, and multiple apps can use a single certificate from the certificate store to authenticate the same user. 如果憑證不存在存放區中,您可以新增程式碼到 app 以匯入來自 PFX 檔案的憑證。If a certificate does not exist in the store, you can add code to your app to import a certificate from a PFX file.

啟用 Microsoft 網際網路資訊服務 (IIS) 與用戶端憑證對應Enable Microsoft Internet Information Services (IIS) and client certificate mapping

本文使用 Microsoft 網際網路資訊服務 (IIS),例如用途。This article uses Microsoft Internet Information Services (IIS) for example purposes. 預設不會啟用 IIS。IIS is not enabled by default. 您可以使用控制台來啟用 IIS。You can enable IIS by using the Control Panel.

  1. 開啟 [控制台],然後選取 [程式集]Open the Control Panel and select Programs.
  2. 選取 [ 開啟或關閉 Windows 功能]。Select Turn Windows features on or off.
  3. 展開 [Internet Information Services],然後展開 [World Wide Web 服務]Expand Internet Information Services and then expand World Wide Web Services. 展開 [應用程式開發功能],選取 [ASP.NET 3.5][ASP.NET 4.5]Expand Application Development Features and select ASP.NET 3.5 and ASP.NET 4.5. 選擇這些項目會自動啟用 Internet Information ServicesMaking these selections will automatically enable Internet Information Services.
  4. 按一下 [確定]**** 套用這些變更。Click OK to apply the changes.

建立與發行受保護的 Web 服務Create and publish a secured web service

  1. 以系統管理員的身分執行 Microsoft Visual Studio,然後從起始畫面選取 [新增專案]Run Microsoft Visual Studio as administrator and select New Project from the start page. 必須要有系統管理員存取權才能將 Web 服務發行到 IIS 伺服器。Administrator access is required to publish a web service to an IIS server. 在 [新增專案] 對話方塊中,將 Framework 變更為 [.NET Framework 3.5]In the New Project dialog, change the framework to .NET Framework 3.5. 選取 [ Visual c # - > web - > Visual Studio - > ASP.NET web 服務應用程式]。Select Visual C# -> Web -> Visual Studio -> ASP.NET Web Service Application. 將應用程式命名為 "FirstContosoBank"。Name the application "FirstContosoBank". 按一下 [確定] 以建立專案。Click OK to create the project.

  2. Service1.asmx.cs 檔案中,將預設的 HelloWorld Web 方法取代為下列 "Login" 方法。In the Service1.asmx.cs file, replace the default HelloWorld web method with the following "Login" method.

            [WebMethod]
            public string Login()
            {
                // Verify certificate with CA
                var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(
                    this.Context.Request.ClientCertificate.Certificate);
                bool test = cert.Verify();
                return test.ToString();
            }
    
  3. 儲存 Service1.asmx.cs 檔案。Save the Service1.asmx.cs file.

  4. 方案總管中,以滑鼠右鍵按一下 "FirstContosoBank" 應用程式,然後選取 [ 發佈]。In the Solution Explorer, right-click the "FirstContosoBank" app and select Publish.

  5. 在 [ 發行 Web ] 對話方塊中,建立新的設定檔,並將它命名為 "ContosoProfile"。In the Publish Web dialog, create a new profile and name it "ContosoProfile". [下一步]Click Next.

  6. 在下一頁中,輸入 IIS 伺服器的伺服器名稱,然後指定網站名稱為 "Default Web Site/FirstContosoBank"。On the next page, enter the server name for your IIS server, and specify a site name of "Default Web Site/FirstContosoBank". 按一下 [發行] 以發行您的 Web 服務。Click Publish to publish your web service.

設定您的 Web 服務以使用用戶端憑證驗證Configure your web service to use client certificate authentication

  1. 執行 [網際網路資訊服務 (IIS) 管理員]Run the Internet Information Services (IIS) Manager.
  2. 展開 IIS 伺服器的網站。Expand the sites for your IIS server. 在 [ 預設的網站] 底下,選取新的 "FirstContosoBank" web 服務。Under the Default Web Site, select the new "FirstContosoBank" web service. 在 [ 動作 ] 區段中,選取 [ Advanced Settings ...]。In the Actions section, select Advanced Settings....
  3. 將 [ 應用程式 集區] 設定為 [ .net v2.0],然後按一下 [確定]Set the Application Pool to .NET v2.0 and click OK.
  4. 在 [ Internet Information Services (iis) 管理員] 中,選取您的 iis 伺服器,然後按兩下 [ 伺服器憑證]。In the Internet Information Services (IIS) Manager, select your IIS server and then double-click Server Certificates. [動作] 區段中,選取 [建立自我簽署憑證...]。輸入 "ContosoBank" 做為憑證的易記名稱,然後按一下 [確定]In the Actions section, select Create Self-Signed Certificate.... Enter "ContosoBank" as the friendly name for the certificate and click OK. 這樣會建立下列格式的新憑證供 IIS 伺服器使用:"<伺服器名稱>.<網域名稱>"。This will create a new certificate for use by the IIS server in the form of "<server-name>.<domain-name>".
  5. 在 [ Internet Information Services (IIS) 管理員] 中,選取 [預設的網站]。In the Internet Information Services (IIS) Manager, select the default web site. [動作] 區段中,選取 [繫結],然後按一下 [新增...]。選取 [https] 做為類型,將連接埠設為 "443",然後輸入 IIS 伺服器的完整主機名稱 (<伺服器名稱>.<網域名稱>)。In the Actions section, select Binding and then click Add.... Select "https" as the type, set the port to "443", and enter the full host name for your IIS server ("<server-name>.<domain-name>"). 將 SSL 憑證設為 "ContosoBank"。Set the SSL certificate to "ContosoBank". 按一下 [確定] 。Click OK. 在 [網站系結] 視窗中按一下 [關閉]。Click Close in the Site Bindings window.
  6. 在 [ Internet Information Services (IIS) 管理員] 中,選取 [FirstContosoBank] web 服務。In the Internet Information Services (IIS) Manager, select the "FirstContosoBank" web service. 按兩下 [ SSL 設定]。Double-click SSL Settings. 選取 [需要 SSL]Check Require SSL. 選取 [用戶端憑證] 下方的 [需要]Under Client certificates, select Require. [動作] 區段中,按一下 [套用]In the Actions section, click Apply.
  7. 您可以開啟網頁瀏覽器並輸入下列網址,以確認 Web 服務是否已正確設定:"https://<伺服器名稱>.<網域名稱>/FirstContosoBank/Service1.asmx"。You can verify that the web service is configured correctly by opening your web browser and entering the following web address: "https://<server-name>.<domain-name>/FirstContosoBank/Service1.asmx". 例如,"https://myserver.example.com/FirstContosoBank/Service1.asmx"。For example, "https://myserver.example.com/FirstContosoBank/Service1.asmx". 如果您的 Web 服務已正確設定,系統會提示您選取用戶端憑證以存取 Web 服務。If your web service is configured correctly, you will be prompted to select a client certificate in order to access the web service.

您可以重複上述步驟來建立多個 Web 服務,並使用相同的用戶端憑證來存取這些服務。You can repeat the previous steps to create multiple web services that can be accessed using the same client certificate.

建立使用憑證驗證的 UWP appCreate a UWP app that uses certificate authentication

現在您已有一或多個受保護的 Web 服務後,您的 app 可以使用憑證向那些 Web 服務進行驗證。Now that you have one or more secured web services, your apps can use certificates to authenticate to those web services. 當您使用 HttpClient 物件向驗證的 Web 服務提出要求時,初始要求將不會包含用戶端憑證。When you make a request to an authenticated web service using the HttpClient object, the initial request will not contain a client certificate. 已驗證的 Web 服務將以用戶端驗證要求回應。The authenticated web service will respond with a request for client authentication. 發生此情況時,Windows 用戶端將自動查詢憑證存放區是否有可用的用戶端憑證。When this occurs, the Windows client will automatically query the certificate store for available client certificates. 您的使用者可從這些憑證選取以向 Web 服務驗證。Your user can select from these certificates to authenticate to the web service. 某些憑證受密碼保護,因此您必須提供使用者輸入密碼的方式以取得憑證。Some certificates are password protected, so you will need to provide the user with a way to input the password for a certificate.

如果沒有可用的用戶端憑證,則使用者必須新增憑證到憑證存放區。If there are no client certificates available, then the user will need to add a certificate to the certificate store. 您可以在 app 中包含程式碼,讓使用者選取包含用戶端憑證的 PFX 檔案,然後將該憑證匯入用戶端憑證存放區。You can include code in your app that enables a user to select a PFX file that contains a client certificate and then import that certificate into the client certificate store.

秘訣   您可以使用 makecert.exe 來建立要用於本快速入門的 PFX 檔案。Tip  You can use makecert.exe to create a PFX file to use with this quickstart. 如需使用 makecert.exe 的資訊,請參閱 MakeCertFor information on using makecert.exe, see MakeCert.

 

  1. 開啟 Visual Studio,然後從開始頁面建立新專案。Open Visual Studio and create a new project from the start page. 將新專案命名為 "FirstContosoBankApp"。Name the new project "FirstContosoBankApp". 按一下 [確定]**** 建立新專案。Click OK to create the new project.

  2. 在 MainPage.xaml 檔案中,將下列 XAML 新增至預設的 Grid 元素。In the MainPage.xaml file, add the following XAML to the default Grid element. 這個 XAML 包含一個瀏覽要匯入之 PFX 檔案的按鈕、一個輸入受密碼保護之 PFX 檔案的密碼的文字方塊、一個匯入所選 PFX 檔案的按鈕、一個登入受保護的 Web 服務的按鈕,以及一個顯示目前動作狀態的文字區塊。This XAML includes a button to browse for a PFX file to import, a text box to enter a password for a password-protected PFX file, a button to import a selected PFX file, a button to log in to the secured web service, and a text block to display the status of the current action.

    <Button x:Name="Import" Content="Import Certificate (PFX file)" HorizontalAlignment="Left" Margin="352,305,0,0" VerticalAlignment="Top" Height="77" Width="260" Click="Import_Click" FontSize="16"/>
    <Button x:Name="Login" Content="Login" HorizontalAlignment="Left" Margin="611,305,0,0" VerticalAlignment="Top" Height="75" Width="240" Click="Login_Click" FontSize="16"/>
    <TextBlock x:Name="Result" HorizontalAlignment="Left" Margin="355,398,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Height="153" Width="560"/>
    <PasswordBox x:Name="PfxPassword" HorizontalAlignment="Left" Margin="483,271,0,0" VerticalAlignment="Top" Width="229"/>
    <TextBlock HorizontalAlignment="Left" Margin="355,271,0,0" TextWrapping="Wrap" Text="PFX password" VerticalAlignment="Top" FontSize="18" Height="32" Width="123"/>
    <Button x:Name="Browse" Content="Browse for PFX file" HorizontalAlignment="Left" Margin="352,189,0,0" VerticalAlignment="Top" Click="Browse_Click" Width="499" Height="68" FontSize="16"/>
    <TextBlock HorizontalAlignment="Left" Margin="717,271,0,0" TextWrapping="Wrap" Text="(Optional)" VerticalAlignment="Top" Height="32" Width="83" FontSize="16"/>
    
  3. 儲存 MainPage.xaml 檔案。Save the MainPage.xaml file.

  4. 在 MainPage.xaml.cs 檔案中,新增下列 using 陳述式。In the MainPage.xaml.cs file, add the following using statements.

    using Windows.Web.Http;
    using System.Text;
    using Windows.Security.Cryptography.Certificates;
    using Windows.Storage.Pickers;
    using Windows.Storage;
    using Windows.Storage.Streams;
    
  5. 在 MainPage.xaml.cs 檔案中,將下列變數新增至 MainPage 類別。In the MainPage.xaml.cs file, add the following variables to the MainPage class. 它們會指定 "FirstContosoBank" Web 服務的受保護 "Login" 方法的位址,以及存放要匯入憑證存放區之 PFX 憑證的全域變數。They specify the address for the secured "Login" method of your "FirstContosoBank" web service, and a global variable that holds a PFX certificate to import into the certificate store. 將 <伺服器名稱> 更新為 Microsoft Internet Information Server (IIS) 伺服器的完整伺服器名稱。Update the <server-name> to the fully-qualified server name for your Microsoft Internet Information Server (IIS) server.

    private Uri requestUri = new Uri("https://<server-name>/FirstContosoBank/Service1.asmx?op=Login");
    private string pfxCert = null;
    
  6. 在 MainPage.xaml.cs 檔案中,為登入按鈕新增下列 Click 處理常式並新增存取受保護的 Web 服務的方法。In the MainPage.xaml.cs file, add the following click handler for the login button and method to access the secured web service.

    private void Login_Click(object sender, RoutedEventArgs e)
    {
        MakeHttpsCall();
    }
    
    private async void MakeHttpsCall()
    {
    
        StringBuilder result = new StringBuilder("Login ");
        HttpResponseMessage response;
        try
        {
            Windows.Web.Http.HttpClient httpClient = new Windows.Web.Http.HttpClient();
            response = await httpClient.GetAsync(requestUri);
            if (response.StatusCode == HttpStatusCode.Ok)
            {
                result.Append("successful");
            }
            else
            {
                result = result.Append("failed with ");
                result = result.Append(response.StatusCode);
            }
        }
        catch (Exception ex)
        {
            result = result.Append("failed with ");
            result = result.Append(ex.Message);
        }
    
        Result.Text = result.ToString();
    }
    
  7. 在 MainPage.xaml.cs 檔案中,為瀏覽 PFX 檔案的按鈕和將所選 PFX 檔案匯入憑證存放區的按鈕新增下列 Click 處理常式。In the MainPage.xaml.cs file, add the following click handlers for the button to browse for a PFX file and the button to import a selected PFX file into the certificate store.

    private async void Import_Click(object sender, RoutedEventArgs e)
    {
        try
        {
            Result.Text = "Importing selected certificate into user certificate store....";
            await CertificateEnrollmentManager.UserCertificateEnrollmentManager.ImportPfxDataAsync(
                pfxCert,
                PfxPassword.Password,
                ExportOption.Exportable,
                KeyProtectionLevel.NoConsent,
                InstallOptions.DeleteExpired,
                "Import Pfx");
    
            Result.Text = "Certificate import succeded";
        }
        catch (Exception ex)
        {
            Result.Text = "Certificate import failed with " + ex.Message;
        }
    }
    
    private async void Browse_Click(object sender, RoutedEventArgs e)
    {
    
        StringBuilder result = new StringBuilder("Pfx file selection ");
        FileOpenPicker pfxFilePicker = new FileOpenPicker();
        pfxFilePicker.FileTypeFilter.Add(".pfx");
        pfxFilePicker.CommitButtonText = "Open";
        try
        {
            StorageFile pfxFile = await pfxFilePicker.PickSingleFileAsync();
            if (pfxFile != null)
            {
                IBuffer buffer = await FileIO.ReadBufferAsync(pfxFile);
                using (DataReader dataReader = DataReader.FromBuffer(buffer))
                {
                    byte[] bytes = new byte[buffer.Length];
                    dataReader.ReadBytes(bytes);
                    pfxCert = System.Convert.ToBase64String(bytes);
                    PfxPassword.Password = string.Empty;
                    result.Append("succeeded");
                }
            }
            else
            {
                result.Append("failed");
            }
        }
        catch (Exception ex)
        {
            result.Append("failed with ");
            result.Append(ex.Message); ;
        }
    
        Result.Text = result.ToString();
    }
    
  8. 執行您的 app 並登入受保護的 Web 服務,以及將 PFX 檔案匯入本機憑證存放區。Run your app and log in to your secured web service as well as import a PFX file into the local certificate store.

您可以使用這些步驟來建立多個應用程式,它們會使用相同的使用者憑證來存取相同或不同的受保護 Web 服務。You can use these steps to create multiple apps that use the same user certificate to access the same or different secured web services.