locked
question on certificate validation RRS feed

  • Question

  • Hello All,

    Our software can communicate with hundreds of devices. We need to authenticate (the device) and encrypt the communication between device and software. For that we’ll be storing the certificates signed by our CA on all devices. To validate the certificate of device we have to store our CA certificate in the Trusted Root CA folder of machines, where software is running. We would like to take care of case, in device certificate validation, where end user does not want to store our CA certificate in Trusted Root CA folder. How can I validate the device certificate if its CA certificate is not in Trusted Root CA folder (in other words how can I verify that device certificate is signed by our CA?)?

    I’m trying to use the classes in “System.Security.Cryptography.X509Certificates” namespace but not successful so far. By default "X509Chain" validate only if CA certificate is in Trusted Root CA folder. I'm not able to figure out a way to customize its behavor. I did not find any useful example on "X509ChainPolicy" either, if it can be used for it.

    Thank you for giving your time.

    Regards,
    Gurmit

    Friday, October 30, 2009 12:47 PM

All replies

  • Hello Gurmit:

    Can you provide some code?
    How do you implement the X509ChainPolicy class?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Friday, October 30, 2009 3:16 PM

  • Hello Fisnik,

    I don't have any code, infect I'm asking for help.


    Thanks,
    Gurmit
    Tuesday, November 3, 2009 4:43 AM

  • Hello All,

    I'm just wondering if it is really possible to validate the certificate if its root is not in trusted root CA folder.  Please also advise if this is not the right forum for this question.

    Regards,
    Gurmit

    Friday, November 6, 2009 4:39 AM
  • Hi Gurmit:

    Is this thread solved or NOT?
    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Saturday, January 2, 2010 2:19 PM
  • Hey,

    you can use the X509Chain class for Validation. You need to provide the full Chain however. The Object has a *Policy.ExtraStore Property, where you can put in the Certificates above the one you want to verify. Of course, since the Root is not trusted by the User, you will always get a UntrustedRoot Status. However, you can check the Status per Certificate and make sure that you only get this error and only on the Root Certificate.

    The UntrustedRoot only tells that its not installed in the store, it has nothing to do with not properly signed or such.

    List<X509Certificate2> certificates = new List<X509Certificate2>();
    certificates.Add(new X509Certificate2("root.cer"));
    certificates.Add(new X509Certificate2("sub1.cer"));
    certificates.Add(new X509Certificate2("sub2.cer"));
    
    X509Chain certChain = new X509Chain();
    for (int i = 0; i < certificates.Count; i++)
    {
    	if (i + 1 != certificates.Count)
    	{
    		certChain.ChainPolicy.ExtraStore.Add(certificates[i]);
    	}
    }
    certChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; // dont know if you need to set this, i dont know if it can check if its not installed, it should be able to though
    certChain.Build(certificates.Last());
    if (certChain.ChainStatus.Length == 1 &&
    	((certChain.ChainStatus.First().Status & X509ChainStatusFlags.UntrustedRoot) == X509ChainStatusFlags.UntrustedRoot) &&
    	certChain.ChainPolicy.ExtraStore.Contains(certChain.ChainElements[certChain.ChainElements.Count - 1].Certificate))
    {
    	Console.WriteLine("Certificate valid");
    }
    else
    {
    	string message = Environment.NewLine + "X509Certificate Chain Status" + Environment.NewLine;
    	foreach (X509ChainStatus certChainChainStatu in certChain.ChainStatus)
    	{
    		message += certChainChainStatu.StatusInformation;
    	}
    	throw new InvalidOperationException("The chain cannot be build, see InnerException for details" + message);
    }


    Please be so kind to close your Threads when you found an answer, these Threads should help everyone with similar issues.
    You can close a Thread via the"Mark as Answer" link below posts. You can mark your own posts as answers if you were not helped out but found a solution, in such a case, please provide the answer.
    Happy coding
    PS: I assure everyone that I did not ever had the desire to offend anyone.


    • Edited by MDeero Thursday, September 14, 2017 9:34 AM
    Thursday, September 14, 2017 9:33 AM