We happen to run a REST API service that exposes an https://
endpoint. Recently we changed our SSL certificate and several users, mostly libcurl and Java users, complained that they no longer can validate the certificate and their programs refuse to connect to our service. Other users, including .NET users, didn't observe any problems. Firefox is also happy to open pages on the site with that certificate.
We need to craft some code that validates the certificates the hardest way possible before we use them in production.
I crafted a piece of code that creates a X509Certificate2
object for the certificate and then tries to X509Chain.Build()
from it:
var certDataArray = File.ReadAllBytes( path );
var cert = new X509Certificate2( certDataArray, password );
var chain = new X509Chain();
var result = chain.Build(cert);
var status = chain.ChainStatus;
This code runs okay for our previous certificate (which is not yet expired) and fails (Build()
returns false
and X509Chain.ChainStatus
contains a number of elements - X509ChainStatusFlags.RevocationStatusUnknown
, X509ChainStatusFlags.PartialChain
, X509ChainStatusFlags.OfflineRevocation
). So it looks like for this specific certificate this check is enough.
Is X509Chain.Build()
enough to ensure that all of our users can successfully validate the certificate? Are any other checks necessary?
The X509ChainStausFlags.PartialChain
code is a sign you have a problem. At least one certificate in the chain a) does not have an issuer which is already in your local certificate stores and b) does not have a resolvable Authority Information Access extension which lets the system download the cert (though that could also be a network error).
If the missing certificate is the root, then providing it to chain.ChainPolicy.ExtraStore (before calling Build) would change X509ChainStatusFlags.PartialChain
to X509ChainStatusFlags.UntrustedRoot
. If it's an intermediate then it may well result in the chain building successfully.
The OfflineRevocation
code seems weird, since you didn't specify X509RevocationMode.Offline (at least, not in your snippet here).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With