[英]How to get and install a root CA certificate
I'm having a problem with SslStream.AuthenticateAsClient taking a "long time" (~15s). 我在SslStream.AuthenticateAsClient上花费了“很长时间”(约15秒)的问题。 This is a known issue, and is explained in this MSDN blog post .
这是一个已知问题,并在此MSDN博客文章中进行了解释。
It gives two possible solutions 它给出了两种可能的解决方案
Summing up, this behavior is by design.
总结起来,这种行为是设计使然。 Options we have are: 1) Install the root CA cert locally so we don't need to go to the Internet for the list of trusted root CA certs.
我们提供的选项有:1)在本地安装根CA证书,因此我们无需访问Internet即可获得受信任的根CA证书的列表。 2) Disable the Automatic Root Certificates Update feature via GPO so we don't go to the Internet in any case.
2)通过GPO禁用“自动根证书更新”功能,因此无论如何我们都不会访问Internet。
I've been told option 2 is not a great idea from a security perspective, so I need to do option 1. 从安全性的角度,我被告知选项2不是一个好主意,因此我需要执行选项1。
The problem is I have no clue how to get the root CA cert. 问题是我不知道如何获取根CA证书。 Once I have it I can probably figure out how to use certutil to install it.
一旦有了它,我大概就能弄清楚如何使用certutil进行安装。
I can break my execution in this function 我可以中断执行此功能
private static bool CertificateValidationCallback(
object oSender,
X509Certificate oCertificate,
X509Chain oChain,
SslPolicyErrors oSslPolicyErrors)
{
}
So I guess my question(s) are: 所以我想我的问题是:
How do I obtain an Root CA Certificate? 如何获得根CA证书? What information do I need to get it?
我需要什么信息? Where do I get this information?
我从哪里获得此信息?
Authority Information Access extension of X509 Standard contains Location Information (URL) of Root CA Certificate but it is an optional field. X509标准的颁发机构信息访问扩展包含根CA证书的位置信息(URL),但这是一个可选字段。
http://tools.ietf.org/html/rfc5280#section-4.2.2.1 http://tools.ietf.org/html/rfc5280#section-4.2.2.1
var cert = new X509Certificate2(certData);
var authInfoExtnsions = from ext in cert.Extensions.Cast<X509Extension>()
where ext.Oid.Value == "1.3.6.1.5.5.7.1.1"
select ext;
foreach (var authInfoExtnsion in authInfoExtnsions)
{
Console.WriteLine(Encoding.UTF8.GetString(authInfoExtnsion.RawData));
}
authInfoExtnsion.RawData
is an complex ASN.1 structure (for which you can find details in X509 standard) and this code will not give you URL of Root CA Certificate. authInfoExtnsion.RawData
是一个复杂的ASN.1结构(您可以在X509标准中找到详细信息),并且此代码不会为您提供根CA证书的URL。 You need to parse and get URL. 您需要解析并获取URL。 As I said Authority Information Access is an optional extension but if it is present you will notice that URL of Root Ca Certficate can be read in console.
正如我所说的,“权威信息访问”是一个可选扩展,但是如果存在,您会注意到可以在控制台中读取“根证书”的URL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.