[ACCEPTED]-How do I validate that a certificate was created by a particular certification authority?-certificate
I've done this a lot. Here's some easy code you 6 can use.
The part in the if (!isChainValid) block is to make 5 a pretty error message. You don't have to 4 use that if you don't want, but you should 3 throw an error if the chain cannot be built. The 2 chain elements are necessary to check for 1 your root.
X509Certificate2 authority = GetAuthorityCertificate();
X509Certificate2 certificateToValidate = GetCertificateToValidate();
X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
chain.ChainPolicy.VerificationTime = DateTime.Now;
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
// This part is very important. You're adding your known root here.
// It doesn't have to be in the computer store at all. Neither certificates do.
chain.ChainPolicy.ExtraStore.Add(authority);
bool isChainValid = chain.Build(certificateToValidate);
if (!isChainValid)
{
string[] errors = chain.ChainStatus
.Select(x => String.Format("{0} ({1})", x.StatusInformation.Trim(), x.Status))
.ToArray();
string certificateErrorsString = "Unknown errors.";
if (errors != null && errors.Length > 0)
{
certificateErrorsString = String.Join(", ", errors);
}
throw new Exception("Trust chain did not complete to the known authority anchor. Errors: " + certificateErrorsString);
}
// This piece makes sure it actually matches your known root
var valid = chain.ChainElements
.Cast<X509ChainElement>()
.Any(x => x.Certificate.Thumbprint == authority.Thumbprint);
if (!valid)
{
throw new Exception("Trust chain did not complete to the known authority anchor. Thumbprints did not match.");
}
You can also use the built in method Verify() for 1 X509Certificate2.
X509Certificate2 certificateToValidate = GetCertificateToValidate();
bool valid = certificateToValidate.Verify()
If you say you have a root (which is self-signed) certificate, then 6 your only option is to keep this root certificate 5 available on your server (without the private 4 key of course) and perform certificate validation 3 procedure against your root certificate. This 2 is a mirrored situation to the web client 1 validating server certificate chain.
More Related questions
We use cookies to improve the performance of the site. By staying on our site, you agree to the terms of use of cookies.