在 Kestrel .NET Core 中加载由中间 CA 签名的 SSL 证书的正确方法 [英] Correct way of loading SSL certificate signed by Intermediate CA in Kestrel .NET Core

问题描述

我正在使用 .NET Core 2.1.1 在我的 Kestrel Linux 服务器上设置 SSL.

I am setting up SSL on my Kestrel Linux server using .NET Core 2.1.1.

SSL 证书由中间 CA 签署.

The SSL certificate is signed by an intermediate CA.

PFX 包含中间和根 CA 证书.

The PFX contains the intermediate and root CA cert.

我将 pfx 文件作为 X509Certificate2 对象加载并将其用于服务器证书.

I load the pfx file as a X509Certificate2 object and use this for the server certificate.

似乎是我设置的方式，中间CA不作为握手的一部分发送，只发送叶子(这很调皮).

It seems to be that the way I have set this up, the intermediate CA is not sent as part of the handshake and only the leaf is sent (this is very naughty).

return WebHost.CreateDefaultBuilder(args)
            .UseStartup<Startup>()
            .UseKestrel(options =>
            {
                options.Listen(IPAddress.Any,443, listenOptions =>
                {

                    listenOptions.UseHttps("ssl.pfx", "password123");

                });
            }
            )
        .Build();

所以我执行这个命令，它只显示叶子而不显示中间:

So I execute this command and it shows only the leaf but not the intermediate:

openssl s_client -showcerts -connect myserver:443

我希望它像人们期望的那样包含中间的 ca 和叶子:

I expect it to include the intermediate ca and leaf as one would expect like this:

openssl s_client -showcerts -connect google.com:443

推荐答案

我最近遇到了这个问题，发现托管 Web 服务的服务器(在本例中为 debian)需要对中间证书以及根证书的显式信任证书.没有这个，它只会发送主题证书，但是当我将中间体直接添加到信任时，它开始正常工作.

I have encountered this very recently and found that the server (debian in this case) hosting the web service required explicit trust in the intermediate cert in addition to the root cert. Without this, it would only send the subject cert, but when I added the intermediate directly to the trust, it started working correctly.

这篇关于在 Kestrel .NET Core 中加载由中间 CA 签名的 SSL 证书的正确方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！