信任存储在c#中“受信任的根证书颁发机构”中的SSL证书
[英]Trusting SSL certificates stored in “Trusted Root Certification Authorities” in c#
问题描述
Context: 
内容:
I'm trying to experiment wit ADFS SSO and followed this tutorial to first connect to Azure AD: 我正在尝试使用ADFS SSO进行试验,并按照本教程的要求首先连接到Azure AD:
http://www.cloudidentity.com/blog/2013/10/25/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier/ http://www.cloudidentity.com/blog/2013/10/25/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier/
That worked. 那行得通。
Then trying to make it connect to ADFS on our Win Server 2012 R2 following this other tutorial: 然后,按照此其他教程,尝试使其连接到Win Server 2012 R2上的ADFS:
http://www.cloudidentity.com/blog/2013/10/25/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier/ http://www.cloudidentity.com/blog/2013/10/25/securing-a-web-api-with-adfs-on-ws2012-r2-got-even-easier/
and just as they say in this 3rd tutorial: https://msdn.microsoft.com/en-us/library/dn660967.aspx 就像他们在第3篇教程中所说的那样: https : //msdn.microsoft.com/en-us/library/dn660967.aspx
I get a SSL certificate error: 我收到SSL证书错误:
Questions: 问题:
I know I can bypass certificate validation or put special logic in ServicePointManager.ServerCertificateValidationCallback to code around this but since I imported the certificate in my local machine "Trusted Root Certification Authorities"...: 我知道我可以绕过证书验证或在ServicePointManager.ServerCertificateValidationCallback中添加特殊逻辑以对此进行编码,但是由于我将证书导入本地计算机“受信任的根证书颁发机构” ...:
... why is my service still complaining about the certificate?
...为什么我的服务仍在抱怨该证书? ... Is there a way to tell my C# service to accept ALL certificates in the "Trusted Root Certification Authorities" store?
...是否可以告诉我的C#服务在“受信任的根证书颁发机构”商店中接受所有证书?
NOTE: I did implement a ServicePointManager.ServerCertificateValidationCallback and that works but since we will get a whole bunch of clients sending us their ADFS certs, I would like to only have to import their certs in the cert store to have our service trust them. 注意:我确实实现了ServicePointManager.ServerCertificateValidationCallback,并且可以正常工作,但是由于我们将获得一大堆向其发送ADFS证书的客户端,因此我只需要将其证书导入证书存储区即可使我们的服务信任他们。
Thanks 谢谢
1 个解决方案
解决方案1
4 已采纳 2015-10-05 23:13:22
You should put the root certificate inside the Trusted Root Certification Authorities store (not the certificate itself). 您应该将根证书放入“受信任的根证书颁发机构”存储中(而不是证书本身)。 If you open a certificate and go to certification path you will be able to view the root certificate. 如果您打开证书并转到证书路径,则可以查看根证书。
To explain this further: 为了进一步解释这一点:
Every certificate has an issuer, and such issuer also has a certificate. 每个证书都有一个颁发者,并且该颁发者也有一个证书。
Usually the issuer is a Certification Authority (CA). 通常,颁发者是证书颁发机构(CA)。
Such certificate (of the CA) might be signed by the CA itself (self-signed), or another parent CA. (CA的)此类证书可以由CA自身(自签名)或另一个父CA进行签名。
So you have a parent/child relationship here. 因此,您在这里有父母/子女关系。 The root certificate is the certificate for the root issuer, ie, the parent/grandparent of which certificate is self signed. 根证书是根颁发者的证书,即,该证书是自签名的父母/祖父母。
In this example, the Administrator certificate is signed by the CA. 在此示例中,管理员证书由CA签名。 And the CA certificate is self-signed. CA证书是自签名的。 In this case, you would want to install the CA certificate to the Trusted Root Certification Authorities store. 在这种情况下,您需要将CA证书安装到“受信任的根证书颁发机构”存储中。
There are other factors that play a role when it comes to certificate validation. 在证书验证中,还有其他因素也起作用。 For example, a certificate has an expiry data after which it will be considered invalid. 例如,证书具有有效期数据,之后将被视为无效数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.