WCF 服务配置异常“证书可能没有私钥......”

【问题标题】:WCF service config exception "it is likely that certificate may not have a private key..."WCF 服务配置异常“证书可能没有私钥......”
【发布时间】:2013-07-01 03:42:36
【问题描述】:

在我上一个问题 - WCF client for consuming ASMX service with WS-Security 之后,我需要配置一个 WCF 服务,该服务将使用 WS-Security 接收 SOAP 请求(可以在链接中找到请求示例)。

这是我的配置文件:

  <system.serviceModel>
    <services>
      <service name="Service.Service1" behaviorConfiguration="customBindingBehavior">
        <endpoint address="http://localhost/Service1.svc" 
                  binding="customBinding"
                  bindingConfiguration="NewBinding0" 
                  name="ServiceEndpoint"
                  contract="Service.Contracts.IService1" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="customBindingBehavior">
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceMetadata httpGetEnabled="true" />
          <serviceCredentials>
            <serviceCertificate findValue="xxx" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" />
            <clientCertificate>
              <certificate findValue="yyy" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="TrustedPeople" />
            </clientCertificate>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <customBinding>
        <binding name="NewBinding0">
          <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
          <security authenticationMode="MutualCertificate">
            <secureConversationBootstrap />
          </security>
          <httpTransport />
        </binding>
      </customBinding>
    </bindings>
  </system.serviceModel>
</configuration>


服务证书包含私钥以对响应进行签名。
客户端证书仅包含用于签署请求的客户端私钥的对应公钥。

我收到以下与服务证书相关的异常:
"证书 'CN=xxxxxx' 必须具有能够进行密钥交换的私钥。进程必须具有私钥的访问权限。"

我该如何解决?

提前致谢!

编辑:

我得到的异常: 

System.ArgumentException: It is likely that certificate 'CN=xxx' may not have a private key that is capable of key exchange or the process may not have access rights for the private key.
at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
at System.ServiceModel.Security.AsymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout)
at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocolFactory.Open(Boolean actAsInitiator, TimeSpan timeout)
at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open()
at Microsoft.Tools.SvcHost.ServiceHostHelper.OpenService(ServiceInfo info)

【问题讨论】:

    标签: wcf soap ws-security


    【解决方案1】:

    如果错误是在服务器或客户端证书上,则无法从消息中清除。无论如何,您只需要配置服务器证书。客户端证书将根据您可以在行为中指定的策略进行验证。

    你可以使用这个绑定:

    <customBinding>
                <binding name="NewBinding0">
                    <textMessageEncoding messageVersion="Soap11" />
                    <security authenticationMode="MutualCertificate" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                        <secureConversationBootstrap />
                    </security>
                    <httpTransport />
                </binding>
</customBinding>

    还要确保使用以下内容装饰服务合同:

    [ServiceContract(ProtectionLevel=System.Net.ProtectionLevel.Sign)]

    【讨论】:

    • 检查您是否拥有一个私钥并且您有权访问它。更多信息在这里webservices20.blogspot.co.il/2011/02/…
    • 尝试暂时使用不同的密钥,可能是 wcf 示例提供的并且已知可以工作的密钥,以查看是否存在相同的错误
    • 更新了我的答案,现在看看里面的配置+属性定义
    • 尝试另一个证书。可能你的进程没有权限。
    • 我使用 make cert.exe 创建了一个证书,在 -sky 之后使用 'exchange' 值(而不是我之前使用的 'signature' 值),现在一切正常!这是什么原因?
    【解决方案2】:

    在 Windows 8.1 上使用 Visual Studio 2012 调试客户端应用程序时,我遇到了同样的问题。根据给出的错误消息,您在从 Visual Studio 运行应用程序时也会收到此错误。打开Visual Studio“以管理员身份运行”即可解决问题。

    【讨论】:

      猜你喜欢
      • 2014-08-23
      • 2012-10-22
      • 2014-08-19
      • 2011-10-16
      • 1970-01-01
      • 2010-11-15
      • 2021-03-15
      • 1970-01-01
      • 2015-11-18
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode