在服务器应用程序中使用带有 SslStream 和 X509Certificate2 的中间证书

Using intermediate certificates with SslStream and X509Certificate2 in a server app(在服务器应用程序中使用带有 SslStream 和 X509Certificate2 的中间证书)

问题描述

我正在开发一个使用 SslStream 提供其 SSL 套接字的 .Net 服务器应用程序.它适用于某些客户端(例如基于 libcurl 的客户端)，但其他客户端由于缺少中间证书而引发错误.如何将中间证书与 SslStream 或 X509Certificate2 对象关联以使这些客户满意?

I am working on a .Net server application that uses SslStream to provide its SSL sockets. It works with some clients (such as those based on libcurl), but other clients throw errors due to the lack of the intermediate certificate(s). How can I associate the intermediate certificate with the SslStream or X509Certificate2 object to make these clients happy?

这是我现在在接受连接时使用的代码:

Here's the code I'm using now, when accepting the connection:

X509Certificate2 cert = new X509Certificate2("cert.pfx", "");
theSslStream.BeginAuthenticateAsServer(cert, ...);

如果我使用的是 OpenSSL，我会使用 SSL_CTX_add_extra_chain_cert() 来执行此操作.我查看了 X509Chain 对象，但不知道如何使其适合.

If I were using OpenSSL I'd do this with SSL_CTX_add_extra_chain_cert(). I've looked at the X509Chain object but don't see how to make it fit in.

谢谢.

推荐答案

您是否尝试过在您正在使用的 pfx 中包含完整的链(例如，使用 OpenSSL 将它们全部插入)?我没有专门用 SSLStream 尝试过这个，但是 WCF 没有提供包含中间证书的显式方法 - 如果中间证书在源 .pfx 中可用，它只会自动显示完整链.

Have you tried including the full chain in the pfx you're using (eg, use OpenSSL to plug them all in)? I haven't tried this specifically with SSLStream, but WCF doesn't provide an explicit way to include intermediate certs- it just presents the full chain automatically if the intermediate certs are available in the source .pfx.

这篇关于在服务器应用程序中使用带有 SslStream 和 X509Certificate2 的中间证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持编程学习网！