如何验证证书？ [英] How to validate a certificate?

问题描述

我刚开始一个项目，由我将需要连接，使用FTPS，到第三方服务器。他们向我们提供他们的证书，我没有它，所以我要创造我们自己的开发环境开始。我现在用的是亚历克斯FTPS客户端作为我的出发点（ http://ftps.codeplex.com/ ）。 ..但我也愿意使用WinSCP赋予为不同的客户端

我的问题（S）下面是 - ？我怎么验证在.net证书

步骤完成到目前为止

1. 安装并配置的FileZilla服务器




2. 创建使用FileZilla的自签名证书

3。在亚历FTPS客户，他们有一个回调与此签名

 私有静态布尔ValidateTestServerCertificate（
对象发件人，
 X509证书证书，
 X509Chain链，
 sslPolicyErrors sslPolicyErrors）
 {
 //发生的事情吗？ 
} 
  

我的（各种问题）是：

1. 什么是假设的方法去吗？




2. 我只有适度的理解证书。是FileZilla的自我生成的证书，甚至X509证书？我必须承认，我不知道不同类型的证书格式。




3. 我写什么类型的代码？当我在WCF或HTTP使用SSL，水暖很多对我来说已经处理。这难道不是对FTPS的情况？比如我会导入或使用MMC管理单元控制台在Windows中安装证书。




4. 如果我不落实亚历FTPS回调方法，我得到消息：
   

感谢你的任何远程证书按验证程序无效提示和指针

解决方案

啧啧，没有答案...所以我会回答我的问题，它可能成为别人的帮助。
这里是我的脚步，不知道是否是需要每个人，但是这是我落得这样做。

1）安装的FileZilla服务器

• 用它来创建自己的自签名证书


• 菜单：设置| SSL / TSL设置|生成新的证书


• 在适当的值输入


• 确保我有共同的名字=服务器地址是正确的。


• 这个生成与在.CRT
  分机/格式私钥的证书

2）由于我是在Windows我发现我无法安装证书存储此证书，所以额外的步骤是，我需要先转换

• 下载的OpenSSL http://www.openssl.org/related/binaries.html
  使用命令行其转换为.PFX格式


• OpenSSL的PKCS12 -export退房手续mycert.pfx -inkey myFileZilla.crt -in
  myFileZilla.crt

3）启动Windows MMC管理单元控制台

• 安装该证书导入计算机帐户，受信任的根
  证书颁发机构存储

4）在我的代码（FTPS图书馆，这种情况下，亚历克斯FTPS
我的连接看起来是这样的：

  VAR证书=新的NetworkCredential（用户名，密码）; 
字符串消息= _client.Connect（主机名，端口，证书，
 ESSLSupportMode.Implicit，
空，//新RemoteCertificateValidationCallback（ValidateTestServerCertificate），
 NULL，0，0，0 ， 空值）; 
  

在.NET / Windows基础架构的管道处理所有的验证我已

5），但是，如果你想自定义验证，或者如果你不想安装在Windows应用商店证书，你可以在这里使用此示例代码：
的 http://msdn.microsoft.com/en-us/library /office/dd633677%28v=exchg.80%29.aspx

 私有静态布尔ValidateTestServerCertificate（对象发件人， X509证书证书，X509Chain链，SslPolicyErrors sslPolicyErrors）
 {
 //如果证书是有效的，签署的证书，返回true。 
如果（sslPolicyErrors == System.Net.Security.SslPolicyErrors.None）
 {
返回真; 
} 
 
 //如果有证书链中的错误，看看每个错误以确定原因。 
如果（（sslPolicyErrors&放大器;！System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors）= 0）
 {
如果（链=空&放大器;！&放大器;！chain.ChainStatus =空） 
 {
的foreach（在chain.ChainStatus System.Security.Cryptography.X509Certificates.X509ChainStatus状态）
 {
如果（（certificate.Subject == certificate.Issuer）及和放大器; 
（status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot））
 {
 //与不受信任的根自签名证书的有效期。 
继续; 
} 
，否则
 {
如果（status.Status！= System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError）
 {
 //如果有证书链任何其他错误，该证书是无效的，
 //因此该方法返回false。 
返回FALSE; 
} 
} 
} 
} 
 
 //当处理到达这条线，在证书链中的唯一错误是
 //不受信任的根错误自签名的证书。这些证书的有效期
 //为默认的Exchange服务器安装，因此返回true。 
返回真; 
} 
，否则
 {
 //在其他情况下，返回false。 
返回FALSE; 
} 
} 
  

希望帮助的人。

I am just starting a project where by I will need to connect, using FTPS, to a 3rd party server. They are to provide us with their certificate I don't have it yet, so I am going to create our own development environment to get started. I am using the Alex FTPS Client as my starting point (http://ftps.codeplex.com/)... but am also open to using WinSCP as a different client.

My question(s) below is - how do I validate a certificate in .Net?

Steps Done So Far

1. Installed and configured FileZilla Server

2. created a self signed certificate using FileZilla

3. In the Alex FTPS Client, they have a callback with this signature

private static bool ValidateTestServerCertificate(
    object sender, 
    X509Certificate certificate, 
    X509Chain chain, 
    SslPolicyErrors sslPolicyErrors)
{
    // what goes here?
}

My (Various Questions) are:

1. What is suppose to go in the method?

2. I only have a modest understanding of certificates. Is the FileZilla self generated certificate even an X509 certificate? I must admit, I do not know the different types of certificate formats.

3. What type of code do I write? When I use SSL in WCF or HTTP, alot of the plumbing was handled for me already. Is this not the case for FTPS? i.e. I would import or install a certificate using MMC snap-in Console in Windows.

4. If I don't implement the Callback method in Alex FTPS, I get the message: "The remote certificate is invalid according to the validation procedure"

Thank you for any tips and pointers

解决方案

Gee, no answers... so I will answer my own question and it might be helpful for others. Here are my steps, not sure if everyone is needed, but this is what I ended up doing.

1) Installed FileZilla Server

• Used it to create its own self-signed certificate
• menu: Settings | SSL/TSL Settings | Generate New Certificate
• enter in the appropriate values
• ensuring I had the common name = server address correct.
• this generated a certificate with private key in the .crt extension/format

2) As I was on Windows, I found I couldn't install this certificate in the certificate store, so the extra step was I needed to convert it first

• downloaded OpenSSL http://www.openssl.org/related/binaries.html use command line to convert it to the .pfx format
• openssl pkcs12 -export -out mycert.pfx -inkey myFileZilla.crt -in myFileZilla.crt

3) Launch windows MMC Snap-in Console

• install the certificate into the Computer Account, Trusted Root Certification Authorities store

4) In my code (in FTPS library, in this case Alex FTPS My connection looks like this:

var credential = new NetworkCredential(username, password);
string message = _client.Connect(hostname, port, credential, 
    ESSLSupportMode.Implicit,
    null, // new RemoteCertificateValidationCallback(ValidateTestServerCertificate), 
    null, 0, 0, 0, null); 

The .net/Windows infrastructure plumbing handles all validation for me already

5) But if you wanted custom validation, or if you didn't want to install the certificate in the windows store, you can use this sample code here: http://msdn.microsoft.com/en-us/library/office/dd633677%28v=exchg.80%29.aspx

private static bool ValidateTestServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
      // If the certificate is a valid, signed certificate, return true.
      if (sslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
      {
        return true;
      }

      // If there are errors in the certificate chain, look at each error to determine the cause.
      if ((sslPolicyErrors & System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors) != 0)
      {
        if (chain != null && chain.ChainStatus != null)
        {
          foreach (System.Security.Cryptography.X509Certificates.X509ChainStatus status in chain.ChainStatus)
          {
            if ((certificate.Subject == certificate.Issuer) &&
               (status.Status == System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.UntrustedRoot))
            {
              // Self-signed certificates with an untrusted root are valid. 
              continue;
            }
            else
            {
              if (status.Status != System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.NoError)
              {
                // If there are any other errors in the certificate chain, the certificate is invalid,
             // so the method returns false.
                return false;
              }
            }
          }
        }

        // When processing reaches this line, the only errors in the certificate chain are 
    // untrusted root errors for self-signed certificates. These certificates are valid
    // for default Exchange server installations, so return true.
        return true;
      }
      else
      {
     // In all other cases, return false.
        return false;
      }
    }

Hope that helps people.

这篇关于如何验证证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！