c# – WCF证书链,以编程方式验证

var serverCert = new X509Certificate2("FullPathToMyCertificate.cer","Password");
        Client.ClientCredentials.ServiceCertificate.DefaultCertificate = serverCert;

System.IdentityModel.Tokens.SecurityTokenValidationException 

The X.509 certificate CN=notrealcertname,OU=TPA,OU=BMP,OU=Projects,O=Somebody,C=US is not in the trusted people store. 
The X.509 certificate CN=notrealcertname,C=US chain building failed. 
The certificate that was used has a trust chain that cannot be verified. 
Replace the certificate or change the certificateValidationMode. 
A certificate chain could not be built to a trusted root authority.

使用的组件默认验证链 – 当无法验证链时,您会得到该异常.
如果你想做所有事情,包括在代码中验证链,那么你需要 implement “custom validation” and integrate that into the WCF Host：

Client.ServiceCertificate.Authentication.CertificateValidationMode =
              X509CertificateValidationMode.Custom;
Client.ServiceCertificate.Authentication.CustomCertificateValidator =
    new MyCertificateValidator();

另一个选择是完全禁用验证(不用于生产！)

Client.ServiceCertificate.Authentication.CertificateValidationMode =
              X509CertificateValidationMode.None;

编辑 – 评论后：

为了自己验证链,你应该看一下X509Chain和X509Store – 了解如何实现这样的链验证,看看验证的Mono’s implementation …基本上你使用Find方法搜索X509Certificate2Collection的父等等…具有自定义验证的验证标准取决于您(有效签名,未过期……).

MSDN上的一些参考链接：

> http://msdn.microsoft.com/en-us/library/system.servicemodel.security.x509servicecertificateauthentication.certificatevalidationmode.aspx
> http://msdn.microsoft.com/en-us/library/system.identitymodel.selectors.x509certificatevalidator.aspx
> http://msdn.microsoft.com/en-us/library/ms733806.aspx