Closed pepone closed 3 months ago
Unfortunately, this doesn't work on Windows, the key imported by CreateFromPenFile is not usable by SCHannel
see https://github.com/dotnet/runtime/issues/86328
One solution to work on all platforms would be:
// The X509 certificate used by the server.
using var serverCertificate = new X509Certificate2(serverCert);
// Create a collection with the server certificate and any intermediate certificates. This is used by
// ServerCertificateContext to provide the certificate chain to the peer.
var intermediates = new X509Certificate2Collection();
intermediates.ImportFromPemFile(serverFullChain);
// Create the authentication options using the test server certificate.
var serverAuthenticationOptions = new SslServerAuthenticationOptions()
{
ServerCertificateContext = SslStreamCertificateContext.Create(serverCertificate, intermediates)
};
Do you think this is worth the added complexity? Using ServerCertificateContext
ensures that the server provides the certificate chain to the client not just the leaf certificate. In this example with the test certificates, it doesn't matter because there are no intermediate certificates, and the peer root CA is never sent, and must not be used.
I think we probably should just because people will likely end up copying our code.
First question: why is this PR adding .pem files?
Are these .pem files in addition to the existing .p12 and .der files? Are the p12 and der files still used?
First question: why is this PR adding .pem files?
We use PEM files to load the certificate chain, used to set the ServerCertificateContext
.
Are these .pem files in addition to the existing .p12 and .der files? Are the p12 and der files still used?
On Windows, we can either load the server certificate from the .p12
or load from a PEM and export as mentioned in https://github.com/dotnet/runtime/issues/86328
If we export the files as in the mentioned bug report, we can remove .p12
files, otherwise, we need them.
Fix #3981