X509Chain.Build(...) System.InvalidCastException 从 X509Certificate 到 X509Certificate2

Question

我正在尝试使用自定义证书颁发机构验证证书链。为什么这段代码最后一行会抛出异常？

using System.Security.Cryptography.X509Certificates;

string BaseCertsDir = "Certificates\\";

X509Certificate serverCrt = new(BaseCertsDir + "Server\\Server.crt");
X509Certificate intermediateCert = new(BaseCertsDir + "IntermediateCA\\IntermediateCA.crt");
X509Certificate rootCert = new(BaseCertsDir + "RootCA\\RootCA.crt");

X509Chain chain = new();
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
chain.ChainPolicy.CustomTrustStore.Clear();
chain.ChainPolicy.CustomTrustStore.Add(rootCert);

chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;

chain.ChainPolicy.ExtraStore.Add(intermediateCert);

chain.Build(new X509Certificate2(serverCrt));

例外：

Exception thrown: 'System.InvalidCastException' in System.Private.CoreLib.dll
An unhandled exception of type 'System.InvalidCastException' occurred in System.Private.CoreLib.dll
Unable to cast object of type 'System.Security.Cryptography.X509Certificates.X509Certificate' to type 'System.Security.Cryptography.X509Certificates.X509Certificate2'.

Answer 1

在添加之前，我可以通过将 rootCert 和 intermediateCert 转换为 X509Certificate2 来使代码正常工作：

chain.ChainPolicy.CustomTrustStore.Add(new X509Certificate2(rootCert));

chain.ChainPolicy.ExtraStore.Add(new X509Certificate2(intermediateCert));