我一直在使用System.Security.Cryptography.X509Certificates.X509Store一段时间来枚举机器上的所有TLS证书(在代码中验证重定向到SSL是否有效并在证书丢失时发出警告)。我有以下列表功能,可以帮助我诊断问题,就像我现在所遇到的那样,但我似乎找不到我需要的数据:
System.Security.Cryptography.X509Certificates.X509Store store = new System.Security.Cryptography.X509Certificates.X509Store(System.Security.Cryptography.X509Certificates.StoreLocation.LocalMachine);
store.Open(System.Security.Cryptography.X509Certificates.OpenFlags.ReadOnly);
DateTime utcNow = DateTime.UtcNow;
foreach (System.Security.Cryptography.X509Certificates.X509Certificate2 mCert in store.Certificates)
{
writer.WriteStartElement("certificate");
writer.WriteAttributeString("friendlyName", mCert.FriendlyName);
writer.WriteAttributeString("subjectName", mCert.SubjectName.Name);
writer.WriteAttributeString("subject", mCert.Subject);
writer.WriteAttributeString("simpleName", mCert.GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType.SimpleName, false));
writer.WriteAttributeString("dnsName", mCert.GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType.DnsName, false));
writer.WriteAttributeString("certhash", mCert.GetCertHashString());
writer.WriteAttributeString("effectivedate", mCert.GetEffectiveDateString());
writer.WriteAttributeString("expirationdate", mCert.GetExpirationDateString());
writer.WriteAttributeString("format", mCert.GetFormat());
writer.WriteAttributeString("keyalgorithm", mCert.GetKeyAlgorithm());
writer.WriteAttributeString("publickey", mCert.GetPublicKeyString());
writer.WriteAttributeString("serialnumber", mCert.SerialNumber);
writer.WriteAttributeString("hasprivatekey", XmlConvert.ToString(mCert.HasPrivateKey));
writer.WriteAttributeString("issuer", mCert.Issuer);
// NOTE: X509Certificate2 as provided by .NET uses local datetimes, so we need to convert them to the sane choice of UTC here
writer.WriteAttributeString("notafterutc", XmlConvert.ToString(mCert.NotAfter.ToUniversalTime(), XmlDateTimeSerializationMode.Utc));
writer.WriteAttributeString("notbeforeutc", XmlConvert.ToString(mCert.NotBefore.ToUniversalTime(), XmlDateTimeSerializationMode.Utc));
writer.WriteAttributeString("validnow", XmlConvert.ToString(mCert.NotBefore.ToUniversalTime() < utcNow && utcNow < mCert.NotAfter.ToUniversalTime()));
writer.WriteAttributeString("timeuntilexpiration", XmlConvert.ToString(mCert.NotAfter.ToUniversalTime() - utcNow));
writer.WriteAttributeString("thumbprint", mCert.Thumbprint);
writer.WriteAttributeString("version", mCert.Version.ToString());
writer.WriteEndElement(); // certificate
}
writer.WriteEndElement(); // certificates
writer.WriteEndResponse();
由于希望在同一IP地址上支持新的替代主机名,我们最近切换到使用具有多个主机的UCC证书。不幸的是,上面的代码似乎无法看到证书“主题备用名称”字段中指定的任何备用主机名(一个UCC证书用于指定多个主机),而我找不到使我能够访问此数据的属性或函数。
简而言之,有没有人知道如何使用C#从本地安装的证书的“主题备用名称”字段中获取受支持的主机名列表?
答案 0 :(得分:3)
不是单独的列表,而是单个列表 - 只需找到主题备用名称扩展名并调用.Format(bool multiLine)方法:
var sanNames = String.Empty;
foreach (var ext in mCert.Extensions) {
if (ext.Oid.Value == "2.5.29.17") {
sanNames = ext.Format(false);
}
}
if (!String.IsNullOrEmpty(sanNames)) {// write sanNames variable to XML}
System.Security.Cryptography.X509Certificates.X509Extension uccSan = mCert.Extensions["2.5.29.17"];
if (uccSan != null)
{
foreach (string nvp in uccSan.Format(true).Split(new string[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries))
{
writer.WriteStartElement("alternateName");
string[] parts = nvp.Split('=');
string name = parts[0];
string value = (parts.Length > 0) ? parts[1] : null;
writer.WriteAttributeString("type", name);
writer.WriteAttributeString("value", value);
writer.WriteEndElement(); // alternateName
}
}