X509Certificate2Collection.Find() method, using FindByTimeValid criteria, not working

Question

I am using the following code to get only the valid (by time) certificates on the machine:

var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
var storeCol = store.Certificates;
store.Close();

var notExpiredCol = storeCol.Find(X509FindType.FindByTimeValid, DateTime.Now, true);

On my machine it's working perfectly. But, on another machine with same configuration (Windows 10, Visual Studio Community 2017 and exactly the same certificate installed), it returns nothing.

The original collection from the store, without filters, has the certificate. If we look at the certificates under Internet Explorer, the certificate is there. If we look under MMC with Certificates snap-in, the certificate is there. We tried installing the certificate under Current User and Local Machine, the code is getting the certificates collection from Current User.

I've just tried using FindByTimeExpired and FindByTimeNotYetValid criteria, and same result, both returns an empty collection:

var expiredCol = storeCol.Find(X509FindType.FindByTimeExpired, DateTime.Now, true);
var notYetValidCol = storeCol.Find(X509FindType.FindByTimeNotYetValid, DateTime.Now, true);

Does anyone have any idea what's going on or what we could check to resolve the issue?

By the way, what is exactly the role of the validOnly parameter on the X509Certificate2Collection.Find() method? If I use the value false on it, the method returns the certificate on the collection.

Answer 1

@Kirk Larkin solved the problem on his comment.

The validOnly parameter set to true causes X509Certificate2Collection.Find() method to call X509Certificate2.Verify() method on any certificate it finds (just don't know why the docs don't mention that little particularity though), and that method performs a X.509 chain validation.

On that machine, one Trusted Root Certification Authority in the certificate chain was not installed, so, the certificate was being treated as not trusted. We've installed that missing certificate of the chain and now it works well.

So, better not use the validOnly parameter set to true on our case.