当发行者不是X509时,使用证书存储使用Microsoft .NET框架进行客户端身份验证的受信任根
[英]Use certificate when issuer is not is X509Store trusted roots for client authentication using Microsoft .NET framework
问题描述
While working on this question, I identified that the problem is slightly different than initially stated, so I am changing title and description 
在处理这个问题时,我发现问题与最初的说法略有不同,所以我正在改变标题和描述
I'm trying to authenticate myself against WebService using my client certificate. 我正在尝试使用我的客户端证书对WebService进行身份验证。 I am using WebRequest for that purpose. 我正在为此目的使用WebRequest 。 I need to use self-signed certificate, without registering it in Windows X509 trusted root store. 我需要使用自签名证书,而无需在Windows X509受信任的根存储中注册它。
The way I know if client certificate is presented or not is by examining request object on the server 我知道是否提供客户端证书的方法是检查服务器上的请求对象
I tried to use code from this question as a guidance. 我试图使用这个问题的代码作为指导。 It doesn't work on .NET. 它不适用于.NET。 Here is my code: 这是我的代码:
var certificate = new X509Certificate2(Properties.Resources.MyCert);
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(host);
req.ClientCertificates.Add(certificate);
WebResponse resp = req.GetResponse();
var stream = resp.GetResponseStream();
What I observe is that even though req.ClientCertificates does contain certificate with a valid private key, that certificate is never presented to server. 我观察到的是,即使req.ClientCertificates确实包含带有有效私钥的证书,该证书也永远不会呈现给服务器。 I get no indication from WebClient that certificate is not used during handshake. 我没有得到WebClient的指示,即在握手期间没有使用证书。
If I put certificate into "trusted root", the code will work (even when certificate is not in "personal"). 如果我将证书放入“受信任的根”,则代码将起作用(即使证书不在“个人”中)。
My questions are: 我的问题是:
Since certificate is usable when it's placed in "trusted root", I assume it is likely due to policy or something of that kind.
由于证书在被置于“受信任的根”时可用,我认为这可能是由于政策或类似的东西。 Is it possible to coerce .NET to ignore policy settings and use supplied client certificate during TLS negotiation? 是否有可能强制.NET忽略策略设置并在TLS协商期间使用提供的客户端证书? If abovementioned coercion is not possible, is there a call which will tell me ahead of time, that certificate I am about to use is not usable, and will be ignored?
如果上述强制措施不可能,是否有提前告诉我的电话,我即将使用的证书不可用,将被忽略? Alternatively, if such call is not available, could I make WebClient fail indicating a certificate error, instead of silently skipping over? 或者,如果此类调用不可用,我是否可以使WebClient失败,指示证书错误,而不是默默地跳过?
NOTE : I am aware that configuring certificates as described by Microsoft will work. 注意 :我知道按照Microsoft描述配置证书将起作用。 This is NOT what I am looking for. 这不是我想要的。 I don't want to register potentially insecure certificate in trusted root, because this is potentially security hazard. 我不想在受信任的根目录中注册可能不安全的证书,因为这可能存在安全隐患。 I want to use cert on client without registering in store, or at least to get an exception indicating that certificate cannot be used. 我想在客户端使用cert而不在商店注册,或者至少得到一个异常,表明不能使用证书。 I realize that there can be multiple reasons why certificate cannot be used for a session, but there must be an exception, or at least some sort of indication on the client side that it cannot use specified cert. 我意识到,为什么证书不能用于会话可能有多种原因,但必须有一个例外,或者至少在客户端有某种指示它不能使用指定的证书。 Instead, client simply doesn't present one. 相反,客户只是不提供一个。
1 个解决方案
解决方案1
1 2014-02-01 01:17:25
When you instantiate your X509Certificate2, is the PrivateKey property set? 实例化X509Certificate2时,是否设置了PrivateKey属性? If it is null, you are missing the private key, meaning the SSL/TLS client will be unable to authenticate you. 如果为null,则表示您缺少私钥,这意味着SSL / TLS客户端将无法对您进行身份验证。
Make sure you are loading the certificate from a PFX file (or similar) instead of a CER. 确保从PFX文件(或类似文件)而不是CER加载证书。 These contain the private key, too. 这些也包含私钥。 They are usually password protected for that purpose. 它们通常用于此目的的密码保护。 See How to retrieve certificates from a pfx file with c#? 请参见如何使用c#从pfx文件中检索证书? for more info. 了解更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.