如何将可信CA证书（不是客户端证书）添加到HttpWebRequest？

2 回答

• 5

  尝试设置ServerCertificateValidationCallback以使用它：

  public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
  {
      if (sslPolicyErrors == SslPolicyErrors.None)
      return true;
  
      X509Chain privateChain = new X509Chain();
      privateChain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
  
      X509Certificate2 cert2 = new X509Certificate2(certificate);
      X509Certificate2 signerCert2 = new X509Certificate2(@"C:\MyCACert.PEM");
  
      privateChain.ChainPolicy.ExtraStore.Add(signerCert2);       
      privateChain.Build(cert2);
  
      bool isValid = true;
  
      foreach (X509ChainStatus chainStatus in privateChain.ChainStatus)
      {
          if (chainStatus.Status != X509ChainStatusFlags.NoError)
          {
              isValid = false;
              break;
          }
      }
  
      return isValid;
  }
  

  我没有机会测试这个，所以如果你遇到任何错误请告诉我，如果需要我会修改答案 .

  回复于 2024-04-29T12:14:28+08:00
• 1

  我最终实现的解决方案是编写一个使用自定义验证逻辑实现ICertificatePolicy的类：

  private X509CertificateCollection   _certs;
  private ICertificatePolicy          _defaultPolicy;
  
  public bool CheckValidationResult(ServicePoint svcPoint, X509Certificate cert, WebRequest req, int problem)
  {
      if ((_defaultPolicy != null) && _defaultPolicy.CheckValidationResult(svcPoint, cert, req, problem))
      {
          return true;
      }
  
      foreach (X509Certificate caCert in _certs)
      {
          if (caCert.Equals(cert))
          {
              return true;
          }
      }
  
      return false;
  }
  

  （为简洁起见，省略了错误检查 . ）

  _defaultPolicy 可以设置为ServicePointManager.CertificatePolicy，以允许除自定义证书外还使用默认证书存储 .

  _certs 包含额外的证书 . 它是通过解析PEM文件并调用 _certs.Add(new X509Certificate(Convert.FromBase64String(base64cert))); 生成的

  CertificatePolicy 已被 ServerCertificateValidationCallback 淘汰，但我需要支持旧版本的.NET .

  回复于 2024-04-29T12:14:28+08:00