stackoom
  简体   繁体   中英

Using custom root CA with HttpClient

 原文  2020-11-19 05:03:37       c#/ ssl/ .net-core/ dotnet-httpclient/ ca

Question

In C#, when using HttpClient, how can I connect to the https server that is using either self-signed certificate (for testing) or a custom CA that is not part of the machine's trust-store? Note that I m not needing client certificates, only need HttpClient to validate the server certificate that is not signed by one of the trusted root CA on the machine. I know that i could just add the self-signed certificate or the CA to the local trust-store on the machine, but let's say I want to avoid doing this. What i need is basically to supply extra root CA to the running application.

There are quite simple ways to do this in other languages as I know:

  1. In java, using "javax.net.ssl.trustStore" system property.

  2. In Node.js, using NODE_EXTRA_CA_CERT environment variable.

But I couldn't find anything like this for.Net so far. Is there a simple way like the above?

1 answers

solution1
 0  2022-04-07 20:52:43

I fought with this for a while, there don't seem to be good answers out there other than "write your own callback handler" as user evk mentioned with the link to https://learn.microsoft.com/en-us/do.net/api/system.net.http.httpclienthandler.servercertificatecustomvalidationcallback?view.net-5.0 in the comments above, but that doesn't really explain what should be inside that callback. Then I stumbled upon this comment https://github.com/do.net/runtime/issues/39835#issuecomment-663020581

Turns out, using a custom root cert is pretty straight forward. Basically, alter the chain policy to use custom roots, add your custom root, and call build on the chain.

private static bool ServerCertificateCustomValidation(
    HttpRequestMessage requestMessage,
    X509Certificate2? certificate,
    X509Chain? chain,
    SslPolicyErrors sslErrors)
{
    if (certificate == null) return false;
    if (chain == null) return false;
    chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
    chain.ChainPolicy.CustomTrustStore.Add(GetTrustedRootCert());
    return chain.Build(certificate);
}

Keep in mind you may still want to check some other things, like if there are other policy errors. This answer only covers the using a custom trusted root.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using DelegatingHandler with custom data on HttpClient Digitally sign using root CA from certificate file in .NET Distinguish between Root CA and Intermediate CA Certificate Using Trusted Root Certification Authorities for server certificate validation in HttpClient C# / .NET - How to allow a “custom” Root-CA for HTTPS in my application (only)? Using named HttpClient from IHttpClientFactory in a custom client multiple custom request header entries using HttpClient WCF service and custom CA How to get and install a root CA certificate Using custom SSL client certificates System.Net.HttpClient on Mono
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM