system.security.cryptography.x509证书无法验证
system.security.cryptography.x509certificates can not verify
面临一个非常奇怪的问题 X509Certificate2.Verify() return 为有效证书设置错误。也许有些人以前已经遇到过这种奇怪的情况,并且可以对此有所了解。
我正在使用 makecert 生成用于测试目的的客户端证书,它工作正常并且我可以读取证书....但是验证功能总是 return错误的 ,
我在 cmd 上写这个:
makecert -r -pe -n "client1" -b 01/01/2005 -e 01/01/2020 -sky exchange -ss certifcat
当我写 :
X509Certificate2 x509_2 = LoadCertificate(StoreLocation.CurrentUser, "client1");
Console.WriteLine("Verify " + x509_2.Verify()); // the output : false
任何人都可以帮忙吗?
编辑:
certutil -verify D:\test.cer :
的输出
Issuer:
CN=WWW.AGGREGATEDINTELLIGENCE.COM
Name Hash(sha1): 553fd856f55d46239156546a1693dd5e160f0eed
Name Hash(md5): dec1c115101d31de7502eee9fb7e6e4b
Subject:
CN=WWW.AGGREGATEDINTELLIGENCE.COM
Name Hash(sha1): 553fd856f55d46239156546a1693dd5e160f0eed
Name Hash(md5): dec1c115101d31de7502eee9fb7e6e4b
Cert Serial Number: 8aa4007cd7a02e8045301ccb11369bb2
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=109 dwErrorStatus=20
Issuer: CN=WWW.AGGREGATEDINTELLIGENCE.COM
NotBefore: 1/1/2005 12:00 AM
NotAfter: 1/1/2020 12:00 AM
Subject: CN=WWW.AGGREGATEDINTELLIGENCE.COM
Serial: 8aa4007cd7a02e8045301ccb11369bb2
Cert: c6388297376cfde5742b3bd2a217ba1c728bc005
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
Exclude leaf cert:
Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
Chain: c6388297376cfde5742b3bd2a217ba1c728bc005
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
有两点需要考虑:
停止使用 deprecated makecert.exe。相反,您应该考虑使用 New-SelfSignedCertificate PowerShell cmdlet 生成测试证书。
问题是证书不是由受信任的机构颁发的。您必须将证书副本安装到 LocalMachine\Root 商店。
面临一个非常奇怪的问题 X509Certificate2.Verify() return 为有效证书设置错误。也许有些人以前已经遇到过这种奇怪的情况,并且可以对此有所了解。
我正在使用 makecert 生成用于测试目的的客户端证书,它工作正常并且我可以读取证书....但是验证功能总是 return错误的 , 我在 cmd 上写这个:
makecert -r -pe -n "client1" -b 01/01/2005 -e 01/01/2020 -sky exchange -ss certifcat
当我写 :
X509Certificate2 x509_2 = LoadCertificate(StoreLocation.CurrentUser, "client1");
Console.WriteLine("Verify " + x509_2.Verify()); // the output : false
任何人都可以帮忙吗?
编辑: certutil -verify D:\test.cer :
的输出Issuer:
CN=WWW.AGGREGATEDINTELLIGENCE.COM
Name Hash(sha1): 553fd856f55d46239156546a1693dd5e160f0eed
Name Hash(md5): dec1c115101d31de7502eee9fb7e6e4b
Subject:
CN=WWW.AGGREGATEDINTELLIGENCE.COM
Name Hash(sha1): 553fd856f55d46239156546a1693dd5e160f0eed
Name Hash(md5): dec1c115101d31de7502eee9fb7e6e4b
Cert Serial Number: 8aa4007cd7a02e8045301ccb11369bb2
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
CertContext[0][0]: dwInfoStatus=109 dwErrorStatus=20
Issuer: CN=WWW.AGGREGATEDINTELLIGENCE.COM
NotBefore: 1/1/2005 12:00 AM
NotAfter: 1/1/2020 12:00 AM
Subject: CN=WWW.AGGREGATEDINTELLIGENCE.COM
Serial: 8aa4007cd7a02e8045301ccb11369bb2
Cert: c6388297376cfde5742b3bd2a217ba1c728bc005
Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
Exclude leaf cert:
Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
Chain: c6388297376cfde5742b3bd2a217ba1c728bc005
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
有两点需要考虑:
停止使用 deprecated
makecert.exe。相反,您应该考虑使用New-SelfSignedCertificatePowerShell cmdlet 生成测试证书。问题是证书不是由受信任的机构颁发的。您必须将证书副本安装到
LocalMachine\Root商店。