2

I understand the difference between self-signed and CA-signed certificates, but I need to know if there is a way to distinguish between the two when they are contained in IIS's bag of bindings.

Scenario

I have two https bindings set up for my site, one with CA-signed cert, X and one with self-signed cert, Y.

In code, I have access to the bindings, which is a ConcurrentBag<Microsoft.Web.Administration.Binding> used by IIS. I want to be able to tell which certificate is the self-signed and which is CA-signed using some property of the object.

Is this possible?

Community
  • 1
  • 1
Matt
  • 1,674
  • 2
  • 16
  • 34
  • 3
    Use the `CertificateHash` and `CertificateStore` properties of each (applicable) `Binding` to [find the appropriate certificate](https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2collection.find(v=vs.110).aspx) and compare the subject and authority key identifiers in the x509 Extensions of the certificate – Mathias R. Jessen Feb 09 '16 at 23:48
  • 1
    It is not easy as self signed if properly configured (like adding to trusted authorities store) works just like a commercial one. But if you keep a white list of issuers, then in code you can easily distinguish. – Lex Li Feb 10 '16 at 00:39

1 Answers1

1

Credit to @Mathias from the comments:

Use the CertificateHash and CertificateStore properties of each (applicable) Binding to find the appropriate certificate and compare the subject and authority key identifiers in the x509 Extensions of the certificate

Matt
  • 1,674
  • 2
  • 16
  • 34