1
我們的服務器/服務證書已過期,並且我們發佈了新的證書。將其替換到證書存儲區(作爲SSL服務器證書沒有問題),將運行該服務的AppPoolIdentity的訪問權限設置爲私鑰。 我的服務配置:WCF郵件安全性在服務器證書更改後停止工作
<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="A2AValidation" type="SPOZUS_T2S_A2A.A2AValidation+CustomBehaviorSection, SPOZUS_T2S_A2A, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</behaviorExtensions>
</extensions>
<protocolMapping>
<add scheme="http" binding="wsHttpBinding" />
<add scheme="https" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<binding name="MessageSecurityBinding">
<security mode="Message">
<message clientCredentialType="Certificate" establishSecurityContext="true" negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ClientSecBehavior" name="SPOZUS_T2S_A2A.Service">
<endpoint address="" behaviorConfiguration="A2AValidationBehavior" bindingNamespace="https://DRW2012IIS.XXX.XXXX.XX:10002/A2A" binding="wsHttpBinding" bindingConfiguration="MessageSecurityBinding" name="A2AmessageEndpoint" contract="SPOZUS_T2S_A2A.IService" />
<endpoint address="mex" binding="mexHttpsBinding" name="A2AMessageEndpointMex" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://DRW2012IIS.XXX.XXXX.XX:10002/A2A/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="A2AValidationBehavior">
<A2AValidation />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ClientSecBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" trustedStoreLocation="LocalMachine" mapClientCertificateToWindowsAccount="true" />
</clientCertificate>
<serviceCertificate findValue="DRW2012IIS.XXX.XXXX.XX" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
當我從瀏覽器訪問該服務它拋出錯誤:
[CryptographicException: Invalid provider type specified.
]
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +5273481
System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +94
System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +136
System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +203
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +240
System.ServiceModel.Security.SecurityUtils.GetKeyContainerInfo(X509Certificate2 certificate) +42
System.ServiceModel.Security.SecurityUtils.CanKeyDoKeyExchange(X509Certificate2 certificate) +10
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +64
[ArgumentException: It is likely that certificate 'CN=DRW2012IIS.XXX.XXXX.XX, OU=IT, O=XXXXX, L=XXXXX, S=XXXX, C=XX' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.]
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +336
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider() +35
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +64
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +59
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +261
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, Boolean requireClientCertificate, SecurityTokenResolver& sctResolver) +829
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver) +709
System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout) +208
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +81
System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) +221
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +73
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.CommunicationObjectSecurityTokenAuthenticator.Open(TimeSpan timeout) +16
System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout) +842
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +125
System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) +221
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +73
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity) +130
System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity) +738
[ServiceActivationException: The service '/TEST/A2A/Service.svc' cannot be activated due to an exception during compilation. The exception message is: It is likely that certificate 'CN=DRW2012IIS.XXX.XXXX.XX, OU=IT, O=XXXXX, L=XXXXX, S=XXXX, C=XX' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail..]
System.Runtime.AsyncResult.End(IAsyncResult result) +604003
System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +238
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +178