0

In server side, I have self-signed CA (certificate and private key). I use them to issue my device certificate, and I want to make sure that if the remote cert is not signed by CA, there will be exception.

I'm referring to links below, but it seems that they don't work to me, please help:

C# How can I validate a Root-CA-Cert certificate (x509) chain?

Verify Remote Server X509Certificate using CA Certificate File

Community
  • 1
  • 1
fanyangxi
  • 562
  • 7
  • 6

2 Answers2

0

When you receive the device certificate, your validate its signature using the CA certificate. That's all you need (yet you need to remember that when the CA certificate expires and you reissue it, you will have to either replace device certificates as well or validate the device certificate with several CAs to ensure that you allow device certificate signed by previous CA certificate.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Yes, I'm trying to validate device cert's signature using the CA certs. I'm using C#, doing the validation work in SslSteam's RemoteCertificateValidationCallback function. I can get the device cert and CA certs and I need a some code to make sure that the device cert is signed by CA cert. – fanyangxi Jun 07 '12 at 01:30
  • That's one of the links I was referring to. but I'll check it again, there must be something I've missed. – fanyangxi Jun 07 '12 at 07:27
0

I'm following the link bellow, using BouncyCastle to do this, it works fine.

C# How can I validate a Root-CA-Cert certificate (x509) chain?

Org.BouncyCastle.X509.X509Certificate caCert =
       new X509CertificateParser().ReadCertificate(CaCertBytes[]); Org.BouncyCastle.X509.X509Certificate remoteCert =
       new X509CertificateParser().ReadCertificate(remoteCertBytes[]);
try
{
       remoteCert.Verify(caCert.GetPublicKey());
       result = true;
}
catch (Exception ex)
{
       result = false;
}

If the remoteCert is not signed by caCert, there will be exception.

Community
  • 1
  • 1
fanyangxi
  • 562
  • 7
  • 6