WCF错误“ X.509证书链构建失败”。尽管信任根CA [英] WCF error "The X.509 certificate chain building failed" despite trusted root CA

问题描述

我遇到了这个问题：

X.509证书CN =农场链构建失败。使用的证书具有无法验证的信任链。替换证书或更改certificateValidationMode。证书链已处理，但是终止于信任不信任的根证书。

我不明白为什么会得到这个证书错误，因为添加了用于WCF服务请求的证书，如下所示：

What I don't understand why I'm getting this error as the certificate I use for my request to the WCF service is added as shown below:

client.ClientCredentials.Peer.PeerAuthentication.CertificateValidationMode =     
    X509CertificateValidationMode.ChainTrust;        
client.ClientCredentials.ClientCertificate.SetCertificate(
    StoreLocation.CurrentUser,
    StoreName.My,
    X509FindType.FindBySerialNumber,
    "MyCertificatesSerialNumber" );

证书本身是上面显示的商店中的自签名证书。当我单击它以显示证书路径时，不会显示任何错误（根证书也是自签名证书）。根证书是手动导入到受信任的根证书颁发机构的。

The certificate itself is a self-signed certificate in the store shown above. When I click on it to show the certification path, no errors are shown (the root certificate is also a self-signed certificate). The root certificate was manually imported into the trusted root certification authorities.

从错误消息中，我原以为认证链，其中包含我的证书之一，但没有。有任何想法吗？

From the error message I would have expected that there was an error in the certification chain with one of my certificates, but there isn't. Any ideas?

更新

我使用Internet Explorer 9作为我的浏览器浏览器以访问Web服务。我正在以编程方式使用C＃控制台应用程序。

I'm using Internet Explorer 9 as my browser to access the webservice. Programmatically I'm using a C# console application.

推荐答案

我遇到了完全相同的问题-我自己的受信任的根CA，该CA签署了另一个证书。证书存储中未显示任何错误。

I had exactly the same problem - my own trusted root CA which signed another certificate. No errors were shown in the certificate store.

事实证明，拥有受信任的根CA和证书是不够的！您还需要一个证书吊销列表！看看这个 MSDN链接。

It turned out that having a trusted root CA and a certificate is not sufficient! You also need a certificate revocation list! Take a look at this MSDN Link.

因此只需创建一个.crl并将其也添加到受信任的根证书颁发机构，一切正常！

So simply create such a .crl and add it also to the trusted root certificate authorities and everything works fine!

makecert -crl -n "CN=CARoot" -r -sv CARoot.pvk CARoot.crl

或简单地进行吊销列表检查：

or simply turn of the revocation list check:

...RevocationMode = X509RevocationMode.NoCheck;

这篇关于WCF错误“ X.509证书链构建失败”。尽管信任根CA的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！