编辑：

我终于确定，IClientMessageInspector似乎并没有反映邮件签名，所以当我真正让我请求一个签名，我不知道它。所以，现在我的新的，真正的问题...

如何配置一个WCF客户端，以present无论是SSL客户端证书，并签署了SOAP头？

  VAR myBinding =新basicHttpBinding的（）;
myBinding.Security.Mode = BasicHttpSecurityMode.TransportWithMessageCredential;
myBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
myBinding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
 

这将导致在具有真实签名的时间戳的标题。但是，客户端证书不再是presented，我不明白过去的SSL。如果我的第二行更改为：

  myBinding.Security.Mode = BasicHttpSecurityMode.Transport;
 

然后我拿过去SSL，但我的SOAP头不再有签字块。

有没有什么方法可以让我得到阿霍德HttpWebRequest的，这样我可以手动附加SSL客户端证书，像这样？

  webRequest.ClientCertificates.Add（certLoader.Load（@C：\ somecert.pfx​​））;
 

原始的问题

我的工作，需要互操作与多数民众赞成使用论坛哨兵网络设备安全地访问第三方提供的服务WCF客户端上。他们需要与SSL在传输层一个客户端证书以及邻：安全元素的签名使用的头一个证书。我能够实现一个或其他行吟诗人与标准绑定，但我似乎无法得到双方发生simultaneosly。理想情况下，他们希望从SSL客户端证书不同的证书签名的消息，但他们说，我们可以用两个SSL客户端身份验证相同的证书，并签署了消息。

我愿意在这一点上做任何事情来得到这个工作，包括使用CustomBinding，如果有必要的。

我可以用下面的SSL部分工作：

  VAR myBinding =新basicHttpBinding的（）;
myBinding.Security.Mode = BasicHttpSecurityMode.Transport;
myBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
VAR URL =htt​​ps://blah.com/services/somservice;
的EndpointAddress EA =新的EndpointAddress（URL）;
VAR的客户=新SoapClient的（myBinding，EA）;
VAR certLoader =新CertificateLoader（密码）;
client.ClientCredentials.ClientCertificate.Certificate = certLoader.Load（@C：\ somecert.pfx​​）;
VAR RESP = client.somemethod（REF轮廓，新的RequestType {版本= RequestTypeVersion.Item100}）;
 

解决方案

请发布一个样品的工作皂（例如，一个规定的供应商）。顺便说一句有更激烈的动作比使用自定义绑定：）

编辑：用你需要自定义绑定两种运输和信息安全。谷歌WCF绑定转换器来自动执行此操作。在自定义绑定，而不是http元素将其更改为HTTPS和使用属性requirevlientcertificate。对不起，拼写，我在移动

编辑：

 变种C =新CustomBinding（）;
MessageSecurityVersion版本= MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
VAR秒= SecurityBindingElement.CreateCertificateOverTransportBindingElement（版本）;
c.Elements.Add（秒）;
c.Element.Add（新TextMessageEncodingBindingElement（）{MessageVersion = MessageVersion.Soap11}）
c.Elements.Add（新HttpsTransportBindingElement（）{RequireClientCertificate = TRUE}）;
 

EDIT:

I finally determined that IClientMessageInspector does not seem to reflect message signing so when I was actually getting a signature in my request I didn't know it. So now for my new, real question...

How can I configure a WCF client to present both the SSL client cert and sign the SOAP Header?

var myBinding = new BasicHttpBinding();
myBinding.Security.Mode = BasicHttpSecurityMode.TransportWithMessageCredential;
myBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
myBinding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;

This will result in the header having a timestamp that's signed. However, the client cert is no longer presented and I don't get past SSL. If I change the second line to:

myBinding.Security.Mode = BasicHttpSecurityMode.Transport;

Then I get past SSL but my SOAP header no longer has the signing block.

Is there any way I can get ahold of HttpWebRequest so that I can manually attach the SSL Client cert like so?

webRequest.ClientCertificates.Add(certLoader.Load(@"c:\somecert.pfx"));

Original Question

I am working on a WCF client that needs to interop with a service provided by a third party that's using a Forum Sentry network appliance to secure access. They require SSL with a client cert at the transport level as well as an o:Security element with signature using an cert in the header. I'm able to achieve one or othe other with standard bindings, but I can't seem to get both to happen simultaneosly. Ideally, they want the message signed with a different cert from the SSL client cert but they said we could use the same cert for both the SSL client authentication and to sign the message.

I'm willing to do anything at this point to get this working including using a CustomBinding if necessary.

I can get the SSL part working using the following:

var myBinding = new BasicHttpBinding();
myBinding.Security.Mode = BasicHttpSecurityMode.Transport;
myBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var url = "https://blah.com/services/somservice";
EndpointAddress ea = new EndpointAddress(url);
var client = new SoapClient(myBinding, ea);
var certLoader = new CertificateLoader("password");
client.ClientCredentials.ClientCertificate.Certificate = certLoader.Load(@"c:\somecert.pfx");
var resp = client.somemethod(ref profile, new RequestType { version = RequestTypeVersion.Item100 });

please publish a sample working soap (e.g. one the vendor provided). btw there are much more drastic moves than using a custom binding :)

Edit: to use both transport and message security you need custom binding. Google for "wcf binding converter" to do this automatically. In the custom binding instead of http element change it to https and use attribute requirevlientcertificate. Sorry for spelling I'm on mobile

EDIT:

var c = new CustomBinding();            
MessageSecurityVersion version = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
var sec = SecurityBindingElement.CreateCertificateOverTransportBindingElement(version);
c.Elements.Add(sec);
c.Element.Add(new TextMessageEncodingBindingElement() { MessageVersion = MessageVersion.Soap11 };)
c.Elements.Add(new HttpsTransportBindingElement() { RequireClientCertificate = true });