TCP 服务器上的 SslStream 无法通过 RemoteCertificateNotAvailable 验证客户端证书
这个问题是关于解决 SslPolicyError.RemoteCertificateNotAvailable
错误。
我开发了一个带有 SSLStream 的 TCP 服务器和另一端的 TCP 客户端。
我通过以下方式对服务器进行身份验证:
sslStream.BeginAuthenticateAsServer
我通过以下方式对客户端进行身份验证:
sslStream.BeginAuthenticateAsClient
我正在从 受信任的发布者 - 本地计算机
加载客户端证书。
两者都在同一台机器上运行。
我尝试从 .cer 和 .pfx 文件加载客户端证书,而不是从受信任的发布者存储中加载客户端证书。 但服务器的客户端(远程)证书验证器回调因发现 SslPolicyErrors
存在 RemoteCertificateNotAvailable
错误而失败。
This question is all about solving a SslPolicyError.RemoteCertificateNotAvailable
error.
I have developed a TCP Server with SSLStream and a TCP Client for the other end.
I authenticate the server with:
sslStream.BeginAuthenticateAsServer
I authenticate the client with:
sslStream.BeginAuthenticateAsClient
I am loading my client certificate from Trusted Publishers - Local Machine
.
Both are running on the same machine.
I tried loading the client certificate from the .cer and .pfx files rather than the trusted publishers store. But the server's client (remote) certificate validator callback fails by finding that SslPolicyErrors
has a RemoteCertificateNotAvailable
error.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
该链接未通过,但我可以从该声明中发现一个问题:
“我从受信任的发布商加载了我的客户端证书”
客户端证书(即在其增强密钥使用字段中包含客户端身份验证的证书)通常位于个人 存储用户帐户。 您始终需要证书的私钥才能“成为”该证书中的实体。
与服务器证书相同(尽管有不同的与其关联的预期目的OID - 服务器身份验证)。 我认为,如果您在受信任的发布商商店中拥有带有私钥的证书,那会很奇怪。
如果双击 CertMgr.msc 中的客户端或服务器证书,您应该在底部看到“此证书有一个私钥”类型的消息。
如果不这样做,您只有一半的密钥对 - 签名和身份验证需要私钥。 (服务器证书需要服务器端的私钥,客户端证书需要客户端的私钥。)
The link didn't come through, but there's a problem I can spot with the statment:
"I loaded my client certificate from Trusted Publishers"
Client certificates (i.e. those including Client Authentication in their Enhanced Key Usage field) typically live in the Personal store for a user account. You always need a private key for a certificate in order to "be" the entity from that certificate.
Same with Server certificates (which have a different Intended Purpose OID associated with them, though - Server Authentication). It'd be odd for you to have a cert with a private key available in the Trusted Publishers store, I think.
If you double-click a client or server certificate in CertMgr.msc , you should see a This certificate has a private key-type message towards the bottom.
If you don't, you only have half a key pair - signatures and authentication require the private key. (The server cert needs a private key at the server end, and the client cert needs a private key at the client end.)