WCF错误“ X.509证书链构建失败”。尽管信任根CA [英] WCF error "The X.509 certificate chain building failed" despite trusted root CA
问题描述
我遇到了这个问题:
X.509证书CN =农场链构建失败。使用的证书具有无法验证的信任链。替换证书或更改certificateValidationMode。证书链已处理,但是终止于信任不信任的根证书。
我不明白为什么会得到这个证书错误,因为添加了用于WCF服务请求的证书,如下所示:
What I don't understand why I'm getting this error as the certificate I use for my request to the WCF service is added as shown below:
client.ClientCredentials.Peer.PeerAuthentication.CertificateValidationMode =
X509CertificateValidationMode.ChainTrust;
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySerialNumber,
"MyCertificatesSerialNumber" );
证书本身是上面显示的商店中的自签名证书。当我单击它以显示证书路径时,不会显示任何错误(根证书也是自签名证书)。根证书是手动导入到受信任的根证书颁发机构的。
The certificate itself is a self-signed certificate in the store shown above. When I click on it to show the certification path, no errors are shown (the root certificate is also a self-signed certificate). The root certificate was manually imported into the trusted root certification authorities.
从错误消息中,我原以为认证链,其中包含我的证书之一,但没有。有任何想法吗?
From the error message I would have expected that there was an error in the certification chain with one of my certificates, but there isn't. Any ideas?
更新
我使用Internet Explorer 9作为我的浏览器浏览器以访问Web服务。我正在以编程方式使用C#控制台应用程序。
I'm using Internet Explorer 9 as my browser to access the webservice. Programmatically I'm using a C# console application.
推荐答案
我遇到了完全相同的问题-我自己的受信任的根CA,该CA签署了另一个证书。证书存储中未显示任何错误。
I had exactly the same problem - my own trusted root CA which signed another certificate. No errors were shown in the certificate store.
事实证明,拥有受信任的根CA和证书是不够的!您还需要一个证书吊销列表!看看这个 MSDN链接。
It turned out that having a trusted root CA and a certificate is not sufficient! You also need a certificate revocation list! Take a look at this MSDN Link.
因此只需创建一个.crl并将其也添加到受信任的根证书颁发机构,一切正常!
So simply create such a .crl and add it also to the trusted root certificate authorities and everything works fine!
makecert -crl -n "CN=CARoot" -r -sv CARoot.pvk CARoot.crl
或简单地进行吊销列表检查:
or simply turn of the revocation list check:
...RevocationMode = X509RevocationMode.NoCheck;
这篇关于WCF错误“ X.509证书链构建失败”。尽管信任根CA的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!