Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is this X.509 certificate considered invalid?

I have a given certificate installed on my server. That certificate has valid dates, and seems perfectly valid in the Windows certificates MMC snap-in.

However, when I try to read the certificate, in order to use it in an HttpRequest, I can't find it. Here is the code used:

    X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly); X509Certificate2Collection col =
    store.Certificates.Find(X509FindType.FindBySerialNumber, "xxx", true);

xxx is the serial number; the argument true means "only valid certificates". The returned collection is empty.

The strange thing is that if I pass false, indicating invalid certificates are acceptable, the collection contains one element—the certificate with the specified serial number.

In conclusion: the certificate appears valid, but the Find method treats it as invalid! Why?

like image 412
pvieira Avatar asked Sep 18 '08 23:09

pvieira


Video Answer


2 Answers

Try verifying the certificate chain using the X509Chain class. This can tell you exactly why the certificate isn't considered valid.

As erickson suggested, your X509Store may not have the trusted certificate from the CA in the chain. If you used OpenSSL or another tool to generate your own self-signed CA, you need to add the public certificate for that CA to the X509Store.

like image 152
David Crow Avatar answered Nov 14 '22 13:11

David Crow


Is the issuer's certificate present in the X509Store? A certificate is only valid if it's signed by someone you trust.

Is this a certificate from a real CA, or one that you signed yourself? Certificate signing tools often used by developers, like OpenSSL, don't add some important extensions by default.

like image 28
erickson Avatar answered Nov 14 '22 12:11

erickson