I'm looking at implementing PKI authentication ( 2 way SSL requiring x.509 certificates) for OpenRasta service.
Any ideas on how to go about this?
Thanks
问题:
回答1:
I assume that you're using the HttpListener hosting.
To enable SSL / Client certifiacates, those settings are set by httpcfg.
You can find some information at http://msdn.microsoft.com/en-us/library/ms733791.aspx. More specifically, you should be able to enable SSL with client certificates using
httpcfg set ssl -i 0.0.0.0:8012 -h 0000000000003ed9cd0c315bbb6dc1c08da5e6 -f 3
On platforms where that tool can be used. The -u is your ip/port. You probably want -f 3 as this maps the client certificate to a windows account, but -f 2 would do the transport security without caring for setting authentication. -h is the thumprint of the certificate, which should be installed in the destination server's certificate store, you can find that with the usual windows admin tools.
There's also a tool that lets you control http.sys at http://httpsysconfig.codeplex.com/