我有一个从X509Store检索到的X509Certificate2对象。我想获取此证书的颁发者,但该对象提供的仅有两个属性是X509Certificate2.Issuer和X509Certificate2.IssuerName,其中.Issuer有点误导,因为它返回的字符串基本上是颁发者的名称。
这两个属性最多只能返回一个可分辨名称,但是DN不是唯一的,对吧?因此,我不想使用X509Certificate2Collection.Find方法和X509FindType.FindByIssuerDistinguishedName标志。
我该如何获取证书的颁发者并确保我有“正确的”颁发者?注意:我不必使用X509Certificate2对象。欢迎提供替代方案。
Check if the leaf certificate's Subject and Issuer fields are not the same. Otherwise, the certificate is the issuer (self-signed certificate)
Instantiate X509Chain object and pass leaf certificate to X509Chain.Build method. Examine ChainElements property (a collection) and element at index 1 is the issuer.
using System.Security.Cryptography.X509Certificates;
namespace Name {
class Class1 {
public static X509Certificate2 GetIssuer(X509Certificate2 leafCert) {
if (leafCert.Subject == leafCert.Issuer) { return leafCert; }
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.Build(leafCert);
X509Certificate2 issuer = null;
if (chain.ChainElements.Count > 1) {
issuer = chain.ChainElements[1].Certificate;
}
return issuer;
}
}
}
Note that this only works if the issuer certificate is in the user or machine certificate store.