如何获取和安装根 CA 证书 [英] How to get and install a root CA certificate

问题描述

我遇到了 SslStream.AuthenticateAsClient 需要很长时间"(约 15 秒)的问题.这是一个已知问题，并在此 MSDN 博客文章.

I'm having a problem with SslStream.AuthenticateAsClient taking a "long time" (~15s). This is a known issue, and is explained in this MSDN blog post.

它给出了两种可能的解决方案

It gives two possible solutions

总而言之，这种行为是设计使然.我们有以下选择:1)在本地安装根CA证书，所以我们不需要去Internet 获取受信任的根 CA 证书列表.2) 禁用通过 GPO 的自动根证书更新功能，所以我们不去无论如何都要上网.

Summing up, this behavior is by design. Options we have are: 1) Install the root CA cert locally so we don’t need to go to the Internet for the list of trusted root CA certs. 2) Disable the Automatic Root Certificates Update feature via GPO so we don’t go to the Internet in any case.

有人告诉我，从安全角度来看，选项 2 不是一个好主意，所以我需要执行选项 1.

I've been told option 2 is not a great idea from a security perspective, so I need to do option 1.

问题是我不知道如何获得根 CA 证书.一旦我有了它，我可能会弄清楚如何使用 certutil 来安装它.

The problem is I have no clue how to get the root CA cert. Once I have it I can probably figure out how to use certutil to install it.

我可以在这个函数中中断我的执行

I can break my execution in this function

private static bool CertificateValidationCallback(
            object oSender,
            X509Certificate oCertificate,
            X509Chain oChain,
            SslPolicyErrors oSslPolicyErrors)
        {

        }

所以我想我的问题是:

我如何获得根 CA 证书?我需要什么信息才能得到它?我从哪里获得这些信息?

How do I obtain an Root CA Certificate? What information do I need to get it? Where do I get this information?

推荐答案

X509 Standard 的授权信息访问扩展包含根 CA 证书的位置信息 (URL)，但它是一个可选字段.

Authority Information Access extension of X509 Standard contains Location Information (URL) of Root CA Certificate but it is an optional field.

http://tools.ietf.org/html/rfc5280#section-4.2.2.1

var cert = new X509Certificate2(certData);
var authInfoExtnsions = from ext in cert.Extensions.Cast<X509Extension>()
                        where ext.Oid.Value == "1.3.6.1.5.5.7.1.1"
                        select ext;
foreach (var authInfoExtnsion in authInfoExtnsions)
{
    Console.WriteLine(Encoding.UTF8.GetString(authInfoExtnsion.RawData));
}

authInfoExtnsion.RawData 是一个复杂的 ASN.1 结构(您可以在 X509 标准中找到详细信息)，此代码不会为您提供根 CA 证书的 URL.您需要解析并获取 URL.正如我所说的，Authority Information Access 是一个可选扩展，但如果它存在，您会注意到可以在控制台中读取 Root Ca Certficate 的 URL.

authInfoExtnsion.RawData is an complex ASN.1 structure (for which you can find details in X509 standard) and this code will not give you URL of Root CA Certificate. You need to parse and get URL. As I said Authority Information Access is an optional extension but if it is present you will notice that URL of Root Ca Certficate can be read in console.

这篇关于如何获取和安装根 CA 证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！