我们需要始终安装在机器上的根证书？ [英] Do we need root certificate installed on the machine always?

问题描述

我使用的智能卡进行身份验证的用户。我有一个身份验证服务（SecurityTokenService），该处理认证逻辑在服务器上。

I am using smart card to authenticate the user. I have a authentication service (SecurityTokenService) which handles the authentication logic on the server.

我使用的<一个href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.verify.aspx"相对=nofollow> X509Certificate2.Verify（）验证证书。由于该API可以检查证书是否有效/由上线和联络证书颁发机构（CA）已撤销，我是否需要在服务器上的根证书？

I am using X509Certificate2.Verify() to validate the certificate. Since this API can check if the certificate is valid/revoked by going online and contacting Certification Authority (CA), do I need root certificate on the server?

可以让我们避免了本地计算机上的根证书？或根证书始终是强制性的？

推荐答案

我尝试了一些东西，这里的意见：

I tried a few things and here are the observations:

1. 首先， X509Certificate2.Verify（）不检查如果链中的所有证书被吊销。从<一个href="http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/0bdea687-7b5a-493b-b46a-87f8df5049a4"相对=nofollow>这个后我才知道，检验方法，在内部使用的 Crypt32 CertVerifyCertificateChainPolicy 功能。该文档它说，它不执行证书吊销检查。总之，验证方法只检查是否为此它就是所谓的证书，被撤销或不。

1. First of all X509Certificate2.Verify() does not check if all the certificates in chain are revoked. From this post I came to know that Verify method internally uses Crypt32 CertVerifyCertificateChainPolicy function. The documentation for it says that it does not perform certificate revocation checking. In short, the Verify method just checks if the certificate for which it's called, is revoked or not.

关于根证书：

• 如果您使用的是 X509Certificate2.Verify（）和根证书不存在，则该方法将返回决绝假。所以用这个方法根证书是绝对必要的。
• 如果您使用的是 X509Chain 建立信任链，然后你可以决定<一href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509revocationflag.aspx"相对=nofollow>是否排除根证书吊销或是否<一个href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509revocationmode.aspx"相对=nofollow>在线/离线去验证证书的吊销状态。
• 然而，无论你在网上还是别去了，或者你排除根证书与否，你得到的<一个href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509chainstatusflags%28v=vs.100%29.aspx"相对=nofollow>的<一个PartialChain 值href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509chainstatus.status%28v=vs.90%29.aspx"相对=nofollow> ChainStatus 如果根证书丢失。因此，要建立完整的信任链，你需要你的机器上安装根证书。

• If you are using X509Certificate2.Verify() and root cert is absent, then the method will outrightly return false. So with this method root certificate is absolutely required.
• If you are using X509Chain to build the trust chain, then you can decide whether to exclude root certificate revocation or whether to go online/offline to verify revocation status of the certificates.
• However, whether you go online or not, or you exclude root certificate or not, you get the PartialChain value in the ChainStatus if the root certificate is missing. So to build the full trust chain, you need a root certificate on your machine.

希望这可以帮助别人谁想要知道一点关于证书验证在C＃。

Hope this helps someone who wants to know a little more about certificate validation in C#.

这篇关于我们需要始终安装在机器上的根证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！