I am working on a .Net server application that uses SslStream to provide its SSL sockets. It works with some clients (such as those based on libcurl), but other clients throw errors due to the lack of the intermediate certificate(s). How can I associate the int开发者_如何学Cermediate certificate with the SslStream or X509Certificate2 object to make these clients happy?
Here's the code I'm using now, when accepting the connection:
X509Certificate2 cert = new X509Certificate2("cert.pfx", "");
theSslStream.BeginAuthenticateAsServer(cert, ...);
If I were using OpenSSL I'd do this with SSL_CTX_add_extra_chain_cert()
. I've looked at the X509Chain object but don't see how to make it fit in.
Thanks.
Have you tried including the full chain in the pfx you're using (eg, use OpenSSL to plug them all in)? I haven't tried this specifically with SSLStream, but WCF doesn't provide an explicit way to include intermediate certs- it just presents the full chain automatically if the intermediate certs are available in the source .pfx.
Including the Intermediate certificates in the .pfx file is the solution. You can verify that all the correct Intermediate certificates are installed at http://www.sslshopper.com/ssl-checker.html
精彩评论