如何获取和安装根CA证书

Question

I'm having a problem with SslStream.AuthenticateAsClient taking a "long time" (~15s). This is a known issue, and is explained in this MSDN blog post .

It gives two possible solutions

Summing up, this behavior is by design. Options we have are: 1) Install the root CA cert locally so we don't need to go to the Internet for the list of trusted root CA certs. 2) Disable the Automatic Root Certificates Update feature via GPO so we don't go to the Internet in any case.

I've been told option 2 is not a great idea from a security perspective, so I need to do option 1.

The problem is I have no clue how to get the root CA cert. Once I have it I can probably figure out how to use certutil to install it.

I can break my execution in this function

private static bool CertificateValidationCallback(
            object oSender,
            X509Certificate oCertificate,
            X509Chain oChain,
            SslPolicyErrors oSslPolicyErrors)
        {

        }

So I guess my question(s) are:

How do I obtain an Root CA Certificate? What information do I need to get it? Where do I get this information?

Answer 1

Authority Information Access extension of X509 Standard contains Location Information (URL) of Root CA Certificate but it is an optional field.

http://tools.ietf.org/html/rfc5280#section-4.2.2.1

var cert = new X509Certificate2(certData);
var authInfoExtnsions = from ext in cert.Extensions.Cast<X509Extension>()
                        where ext.Oid.Value == "1.3.6.1.5.5.7.1.1"
                        select ext;
foreach (var authInfoExtnsion in authInfoExtnsions)
{
    Console.WriteLine(Encoding.UTF8.GetString(authInfoExtnsion.RawData));
}

authInfoExtnsion.RawData is an complex ASN.1 structure (for which you can find details in X509 standard) and this code will not give you URL of Root CA Certificate. You need to parse and get URL. As I said Authority Information Access is an optional extension but if it is present you will notice that URL of Root Ca Certficate can be read in console.