关键点:
1. 保证在客户端设置签名。
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindBySubjectName, certName);
2. 编写自己的validator,继承 X509CertificateValidator
public class MyX509CertificateValidator : X509CertificateValidator
{
string allowedIssuerName; public MyX509CertificateValidator(string allowedIssuerName)
{
if (allowedIssuerName == null)
{
throw new ArgumentNullException("allowedIssuerName");
} this.allowedIssuerName = allowedIssuerName;
} public override void Validate(X509Certificate2 certificate)
{
// Check that there is a certificate.
if (certificate == null)
{
throw new ArgumentNullException("certificate");
} // Check that the certificate issuer matches the configured issuer.
if (allowedIssuerName != certificate.IssuerName.Name)
{
throw new SecurityTokenValidationException
("Certificate was not issued by a trusted issuer");
}
}
}
3. 在server端,将自己编写的validator嵌入servicehost之中
using (ServiceHost serviceHost = new ServiceHost(typeof(CalculatorService)))
{
serviceHost.Credentials.ClientCertificate.Authentication.CertificateValidationMode =
X509CertificateValidationMode.Custom;
serviceHost.Credentials.ClientCertificate.Authentication.CustomCertificateValidator =
new MyX509CertificateValidator("CN=Contoso.com"); serviceHost.Open();
Console.WriteLine("Service started, press ENTER to stop ...");
Console.ReadLine(); serviceHost.Close();
} 最后附上MSDN的官方说明(原文出处)
https://msdn.microsoft.com/en-us/library/ms733806(v=vs.110).aspx