ASP.NET WebAPI HTTPS

参照文档 http://southworks.com/blog/2014/06/16/enabling-ssl-client-certificates-in-asp-net-web-api/

第一步 创建受信任的根证书颁发机构

makecert.exe -n "CN=Development CA" -r -sv DevelopmentCA.pvk DevelopmentCA.cer

并将证书导入到证书管理，特别要注意的是必须是“证书-本地计算机”，而非当前用户

第二步 利用刚才创建的根证书来创建证书的pfx格式 ,第一条命令创建证书，第二条命令将转换为pfx格式并包含私钥，“123456”为私钥密码

makecert.exe -pe -n "CN=localhost" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic DevelopmentCA.cer -iv developmentCA.pvk -sv SSLCert.pvk SSLCert.cer

pvk2pfx -pvk SSLCert.pvk -spc SSLCert.cer -pfx SSLCert.pfx -po 123456

导入证书到本地计算机个人证书

第三步 生成客户端证书，执行命令之后客户端证书自动会添加到“证书-当前用户”个人证书里

makecert.exe -pe -ss My -sr CurrentUser -a sha1 -sky exchange -n "CN=ClientCertificatesTest"

-eku 1.3.6.1.5.5.7.3.2 -sk SignedByCA -ic DevelopmentCA.cer -iv DevelopmentCA.pvk

第四步 证书生成完毕后配置IIS，在网站中添加绑定选择https类型，SSL证书选择我们刚才创建的

第五步 更改SSL设置，我这里是设置了必须要求SSL，可根据自己的实际情况来选择

第六步  在程序中添加HTTPS过滤器，添加此特性的接口会先判断请求是否来自HTTPS

publicclassRequireHttpsAttribute : AuthorizationFilterAttribute
    {
        publicoverridevoid OnAuthorization(HttpActionContext actionContext)
        {
            if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
            {
                actionContext.Response = newHttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
                {                 
                    ReasonPhrase = "HTTPS Required"
                };
            }
            else
            {
                base.OnAuthorization(actionContext);
            }
        }

}

最后我们测试下SSL是否生效

publicstaticvoid Test()
        {
            var secure = newSecureString();
            foreach (char s in"password") //password为导出的证书安全密码
            {
                secure.AppendChar(s);
            }
            var handler = newWebRequestHandler();
            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
            handler.UseProxy = false;

string path = @"C:\test.pfx";
            var certificate = newX509Certificate2(path, secure);
            handler.ClientCertificates.Add(certificate);

ServicePointManager
                .ServerCertificateValidationCallback +=
                (sender, cert, chain, sslPolicyErrors) => true;

using (var client = newHttpClient(handler))
            using (var content = newMultipartFormDataContent())
            {
                var arg = 1;
                var url = string.Format(@"https://localhost:4438/api/test?arg={0}",arg);
                var result = client.PostAsync(url, content).Result.Content.ReadAsStringAsync();
                Console.WriteLine(string.Format("[{0}]", result.Result));
            }

}