[ACCEPTED]-How do I validate that a certificate was created by a particular certification authority?-certificate

Accepted answer
Score: 39

I've done this a lot. Here's some easy code you 6 can use.

The part in the if (!isChainValid) block is to make 5 a pretty error message. You don't have to 4 use that if you don't want, but you should 3 throw an error if the chain cannot be built. The 2 chain elements are necessary to check for 1 your root.

X509Certificate2 authority = GetAuthorityCertificate();
X509Certificate2 certificateToValidate = GetCertificateToValidate();

X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);

// This part is very important. You're adding your known root here.
// It doesn't have to be in the computer store at all. Neither certificates do.

bool isChainValid = chain.Build(certificateToValidate);

if (!isChainValid)
    string[] errors = chain.ChainStatus
        .Select(x => String.Format("{0} ({1})", x.StatusInformation.Trim(), x.Status))
    string certificateErrorsString = "Unknown errors.";

    if (errors != null && errors.Length > 0)
        certificateErrorsString = String.Join(", ", errors);

    throw new Exception("Trust chain did not complete to the known authority anchor. Errors: " + certificateErrorsString);

// This piece makes sure it actually matches your known root
var valid = chain.ChainElements
    .Any(x => x.Certificate.Thumbprint == authority.Thumbprint);

if (!valid)
    throw new Exception("Trust chain did not complete to the known authority anchor. Thumbprints did not match.");
Score: 1

You can also use the built in method Verify() for 1 X509Certificate2.

X509Certificate2 certificateToValidate = GetCertificateToValidate();
bool valid = certificateToValidate.Verify()


Score: 0

If you say you have a root (which is self-signed) certificate, then 6 your only option is to keep this root certificate 5 available on your server (without the private 4 key of course) and perform certificate validation 3 procedure against your root certificate. This 2 is a mirrored situation to the web client 1 validating server certificate chain.

More Related questions