吊销客户端 X509 证书
我在 Windows Server 2003 上有 ASP.NET Web 服务。我有自己的证书颁发机构。我在网络服务中使用自己的客户端证书进行身份验证。 我制作客户证书。我调用网络服务,一切正常。然后我在认证机构撤销了这个证书。证书位于已吊销证书中。 我使用此证书调用 Web 服务,但 Web 服务验证此证书良好,但此证书已被撤销。我不知道为什么?有人可以帮帮我吗?
我在验证证书时使用此方法。
X509Certificate2.Verify 方法
我没有遇到任何异常,证书已被撤销,但 Web 服务验证此证书是否良好。
致克劳斯比斯科夫: 谢谢。所以我尝试这样做:
public void CreateUser(X509Certificate2 cert)
{
ServicePointManager.UseNagleAlgorithm = true;
ServicePointManager.Expect100Continue = true;
ServicePointManager.CheckCertificateRevocationList = true;
ServicePointManager.DefaultConnectionLimit = ServicePointManager.DefaultPersistentConnectionLimit;
if (VefiryCert(cert))
{
//...
}
}
但是吊销的证书仍然验证良好
I have ASP.NET web service on windows server 2003. I have own certificate authority. I use own client certificate on authentification in web service.
I make client certificate. I call web service, everything is ok. Then I revoke this certificate in certification authority. Certificate is in Revoked certificate.
I call web service with this certificate, but web service verify this certificate as good, but this certificate is between revoked. I don't know why? Anybody help me please?
I use this method on verify certificate.
X509Certificate2.Verify Method
I don't get any exception, certificate is between revoked, but web service verify this certificate as good.
to klausbyskov:
Thank you. So I try this :
public void CreateUser(X509Certificate2 cert)
{
ServicePointManager.UseNagleAlgorithm = true;
ServicePointManager.Expect100Continue = true;
ServicePointManager.CheckCertificateRevocationList = true;
ServicePointManager.DefaultConnectionLimit = ServicePointManager.DefaultPersistentConnectionLimit;
if (VefiryCert(cert))
{
//...
}
}
But the revoked certificate is still verify as good
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
尝试设置 的
CheckCertificateReplicationList属性在调用Verify()之前,将ServicePointManager类设置为true。Try setting the
CheckCertificateRevocationListproperty of theServicePointManagerclass totruebefore callingVerify().尝试在应用程序配置文件中设置它:
也许这有帮助..
Try setting it in applications config file:
Maybe that helps..
验证基于多种因素。
证书是否具有证书吊销列表分发点 (CDP) 扩展并且 CRL 是否可访问? (https://www.rfc-editor.org/rfc/rfc5280 #section-4.2.1.13)
注意:CRL 已被缓存!
几乎没有任何延迟地检查有效性的唯一方法是询问 CA 本身。但我不会认为这是一个选择。
对于您想要实现的目标,已经引入了在线响应器协议(http://www.ietf .org/rfc/rfc2560.txt)。
该证书是否具有 AIA OCSP 扩展并且您是否设置了 OCSP 响应程序? OCSP 的触发/间隔是什么(因为它的数据也是 CRL)?
Validation is based on various factors.
Does the certificate have Certificate Revocation List Distribution Point (CDP) Extensions and is the CRL accessible? (https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.13)
NOTE: CRLs are cached!
The only way to check the validity without almost any delay would be asking the CA itself. But I wouldn't consider this as an option.
For what you are trying to achieve the online responder protocol has been introduced (http://www.ietf.org/rfc/rfc2560.txt).
Does the certificate have an AIA OCSP Extension and do you have an OCSP Responder set up? What are the triggers/intervals of OCSP (as its data is also a CRL)?