MVC中的客戶端證書頒發者（指紋）

Question

在MVC應用程序中，我需要驗證客戶端證書是由特定CA簽署/頒發的。

我知道如何從中獲取Request.ClientCertificate和X509Certificate2，但我無法弄清楚如何檢查發行者。 Request.ClientCertificate.Issuer給出了發行人的主題，但我認爲這不夠安全。我希望能夠檢查發行人指紋，那麼如何從客戶證書中檢索它？

Answer 1

// get the X509 from HTTP client certificate 
var x509 = new X509Certificate2(this.Request.ClientCertificate.Certificate); 

// create the certificate chain by using the machine store 
var chain = new X509Chain(true); 
chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; 
chain.Build(x509); 

// at this point chain.ChainElements[0] will contain the original 
// certificate, the higher indexes are the issuers. 
// note that if the certificate is self-signed, there will be just one entry. 
var issuer = chain.ChainElements[1].Certificate.Thumbprint;