问题描述
我遇到了 SslStream.AuthenticateAsClient 需要很长时间"(约 15 秒)的问题.这是一个已知问题,并在此 MSDN 博客文章.
I'm having a problem with SslStream.AuthenticateAsClient taking a "long time" (~15s). This is a known issue, and is explained in this MSDN blog post.
它给出了两种可能的解决方案
It gives two possible solutions
总而言之,这种行为是设计使然.我们有以下选择:1)在本地安装根CA证书,所以我们不需要去Internet 获取受信任的根 CA 证书列表.2) 禁用通过 GPO 的自动根证书更新功能,所以我们不去无论如何都要上网.
有人告诉我,从安全角度来看,选项 2 不是一个好主意,所以我需要执行选项 1.
I've been told option 2 is not a great idea from a security perspective, so I need to do option 1.
问题是我不知道如何获得根 CA 证书.一旦我有了它,我可能会弄清楚如何使用 certutil 来安装它.
The problem is I have no clue how to get the root CA cert. Once I have it I can probably figure out how to use certutil to install it.
我可以在这个函数中中断我的执行
I can break my execution in this function
private static bool CertificateValidationCallback(
object oSender,
X509Certificate oCertificate,
X509Chain oChain,
SslPolicyErrors oSslPolicyErrors)
{
}
所以我想我的问题是:
我如何获得根 CA 证书?我需要什么信息才能得到它?我从哪里获得这些信息?
How do I obtain an Root CA Certificate?What information do I need to get it?Where do I get this information?
推荐答案
X509 Standard 的授权信息访问扩展包含根 CA 证书的位置信息 (URL),但它是一个可选字段.
Authority Information Access extension of X509 Standard contains Location Information (URL) of Root CA Certificate but it is an optional field.
http://tools.ietf.org/html/rfc5280#section-4.2.2.1
var cert = new X509Certificate2(certData);
var authInfoExtnsions = from ext in cert.Extensions.Cast<X509Extension>()
where ext.Oid.Value == "1.3.6.1.5.5.7.1.1"
select ext;
foreach (var authInfoExtnsion in authInfoExtnsions)
{
Console.WriteLine(Encoding.UTF8.GetString(authInfoExtnsion.RawData));
}
authInfoExtnsion.RawData
是一个复杂的 ASN.1 结构(您可以在 X509 标准中找到详细信息),此代码不会为您提供根 CA 证书的 URL.您需要解析并获取 URL.正如我所说的,Authority Information Access 是一个可选扩展,但如果它存在,您会注意到可以在控制台中读取 Root Ca Certficate 的 URL.
authInfoExtnsion.RawData
is an complex ASN.1 structure (for which you can find details in X509 standard) and this code will not give you URL of Root CA Certificate. You need to parse and get URL. As I said Authority Information Access is an optional extension but if it is present you will notice that URL of Root Ca Certficate can be read in console.
这篇关于如何获取和安装根 CA 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!