SslStream and server certificate with intermediate CAs RRS feed

  • Question

  • Hi,

    I can't figure out how to get a SSL C# server using SslStream to send the intermediate CA certificates to the client when loading the certificate chain from a PKCS12 file. Only the end certificate gets sent. It does work if I import the intermediate CAs in the user certificate store but I would prefer not to import these certificates.

    As a test case, I used the server code from the SslStream class documentation. I just modified: 

    serverCertificate = X509Certificate.CreateFromCertFile(certificate);

    to use instead:

    serverCertificate = new X509Certificate2(certificate, "password");

    You can try it out with the certificate at this link: (protected wit the "password" password).

    The certificate file includes the end cert and the certs for the 2 intermediate CAs. If you connect to the server with openssl s_client -connect localhost:8080, you'll see that only the end certificate gets sent.

    Any ideas why the intermediate CA certs don't get sent? is it required that the intermediate certificates be stored in the user/machine certificate store for them to be sent?

    I'm also having the same issue when using SChannel with a C++ program, the intermediate CAs don't get sent unless they are added to the user certificate store.


    Monday, April 27, 2015 11:49 AM

All replies