Ped*_*par 3 .net c# certificate x509certificate2
I am using the following code to get only the valid (by time) certificates on the machine:
var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
var storeCol = store.Certificates;
store.Close();
var notExpiredCol = storeCol.Find(X509FindType.FindByTimeValid, DateTime.Now, true);
On my machine it's working perfectly. But, on another machine with same configuration (Windows 10, Visual Studio Community 2017 and exactly the same certificate installed), it returns nothing.
The original collection from the store, without filters, has the certificate. If we look at the certificates under Internet Explorer, the certificate is there. If we look under MMC with Certificates snap-in, the certificate is there. We tried installing the certificate under Current User and Local Machine, the code is getting the certificates collection from Current User.
I've just tried using FindByTimeExpired and FindByTimeNotYetValid criteria, and same result, both returns an empty collection:
var expiredCol = storeCol.Find(X509FindType.FindByTimeExpired, DateTime.Now, true);
var notYetValidCol = storeCol.Find(X509FindType.FindByTimeNotYetValid, DateTime.Now, true);
Does anyone have any idea what's going on or what we could check to resolve the issue?
顺便说一下,X509Certificate2Collection.Find() 方法中的validOnly参数到底有什么作用?如果我在其上使用值false,该方法将返回集合上的证书。
@Kirk Larkin 在他的评论中解决了这个问题。
该validOnly参数设置为真正原因X509Certificate2Collection.Find()的方法调用X509Certificate2.Verify()方法上找到(只是不知道为什么文档不提那个小特殊性虽然)任何证书,而且方法执行X.509链验证。
在该机器上,未安装证书链中的一个受信任的根证书颁发机构,因此,该证书被视为不受信任。我们已经安装了缺少的链证书,现在它运行良好。
因此,最好不要在我们的案例中使用validOnly设置为true的参数。