證書認證

Question

我有我的配置網頁asp.net API服務來驗證通過客戶端證書請求問題

我做專業的ASP.NET Web API安全描述步驟：

1. 我創建使用makecert.exe證書 makecert.exe -r -n "CN=MobileTradeDataGateway" -pe -sv MobileTradeDataGateway.pvk -a sha256 -cy authority MobileTradeDataGateway.cer和makecert.exe -iv MobileTradeDataGateway.pvk -ic MobileTradeDataGateway.cer -n "CN=DataGateway1" -pe -sv DataGateway1.pvk -a sha256 -sky exchange DataGateway1.cer -eku 1.3.6.1.5.5.7.3.2
2. 我安裝MobileTradeDataGateway證書服務器受信任的根證書頒發機構在客戶端了。在客戶端個人權限中安裝DataGateway1。
3. 配置站點以接受證書並啓用。啓用匿名身份驗證。
4. 創建DelegatingHandler並將其添加到mvc中的messagehandlers集合以檢查證書。

5. 調用Web API方法

   變種的CertStore =新的X509Store（StoreLocation.CurrentUser）;certStore.Open（OpenFlags.ReadOnly）; var collection = certStore.Certificates.Find（X509FindType.FindByIssuerName，「MobileTradeDataGateway」，true）; var cert = collection [0]; certStore.Close（）; var messageHandler = new WebRequestHandler（）; messageHandler.ClientCertificates.Add（cert）; var client = new HttpClient（messageHandler）{BaseAddress = new Uri（「...」）}; var res = client.GetAsync（「/ api/orderuploader？number = 5」）。

。

一切工作正常我的本地機器和網絡，我的機器是服務器。 但是，當我把它部署到Azure雲服務，我得到空 var cert = request.GetClientCertificate(); // here is null 在我的自定義委託處理

關我當然啓用IIS以接受證書和correctelly把證書在受信任的根證書頒發機構

任何想法？

Answer 1

你是否還嘗試通過「指紋」獲取證書？ 這是試圖從證書存儲中讀取證書的示例代碼。

private X509Certificate2 FindCertificate() 
{ 
    X509Store certificateStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); 
    certificateStore.Open(OpenFlags.ReadOnly); 
    X509Certificate2Collection certificates = certificateStore.Certificates; 
    X509Certificate2Collection matchingCertificates = certificates.Find(X509FindType.FindByThumbprint, "CertThumbprint", false); 
    if (matchingCertificates != null && matchingCertificates.Count > 0) 
    { 
     return matchingCertificates[0]; 
    } 
    throw new ArgumentException("Unable to find a matching certificate in the certificate store. Please modify the search criteria."); 
} 

這link已經是我的delegatinghandler從網頁API代碼如何，你可以從Web /輔助角色

Answer 2

這裏閱讀證書的詳細信息

public class X509ClientCertificateHandler : DelegatingHandler 
{ 
    protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) 
    { 
     if (request.RequestUri.Scheme != Uri.UriSchemeHttps) 
     { 
      WebApiEventSource.Log.InvalidHttpsScheme(); 
      return request.CreateResponse(HttpStatusCode.Forbidden); 
     } 
     var cert = request.GetClientCertificate(); // here is null!!! 
     if (cert == null) 
     { 
      WebApiEventSource.Log.FailureAuthenticate("certificate is abcent", "", ""); 
      return request.CreateResponse(HttpStatusCode.Unauthorized); 
     } 
     var chain =new X509Chain {ChainPolicy = {RevocationMode = X509RevocationMode.NoCheck}}; 
     if (chain.Build(cert) && cert.Issuer.Equals("CN=MobileTradeDataGateway")) 
     { 
      var claims = new List<Claim> 
       { 
        new Claim(ClaimTypes.Name, cert.Subject.Substring(3)) 
       }; 
      var principal = new ClaimsPrincipal(new[] {new ClaimsIdentity(claims, "X509")}); 
      Thread.CurrentPrincipal = principal; 
      if (HttpContext.Current != null) 
       HttpContext.Current.User = principal; 
      WebApiEventSource.Log.SuccessAuthenticate(cert.SubjectName.Name); 
      return await base.SendAsync(request, cancellationToken); 
     } 
     WebApiEventSource.Log.FailureAuthenticate("certificate is incorrect", cert.IssuerName.Name, cert.SubjectName.Name); 
     return request.CreateResponse(HttpStatusCode.Unauthorized); 
    } 
} 

Answer 3

我想你已經錯過將證書上載到Azure門戶。請確保您將.cer或.pfx證書上傳到Azure門戶。讓我知道如果你需要幫助如何上傳等