C# .Net Validate a certificate against a X509Certificate2Collection; NOT the global sore

Question

I have a X509Certificate2Collection, and I want to tell whether a given certificate is either in it or signed by a CA in the collection.

I do NOT want to reference the Windows certificate stores, which seems to be what every example shows. This is for a secure application, and I do not care that CheapCertificate.Com has trusted some cert, only that specific CAs that I explicitly specify are valid.

Also, is it possible to use SslStream against anything other than the global store? I could not see any parameter that set it.

To be clear, the wrong way is

foreach (X509Certificate2 trustedIssuer in trustedCerts) {
  if (trustedIssuer.Subject == certificate.Issuer) {...

You would usually compare the thumbprints of two certificates. See the remarks under https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate.equals?view=netframework-4.7.2#System_Security_Cryptography_X509Certificates_X509Certificate_Equals_System_Security_Cryptography_X509Certificates_X509Certificate_ — ckuri, Feb 16 '19 at 06:36

score 0 · Answer 1 · answered Feb 18 '19 at 00:55

0

The following describes it. A bit of work, create your own chain, put all the certs in, see if it validates.

How to verify X509 cert without importing root cert?

answered Feb 18 '19 at 00:55

Tuntable

3,276
1
21
26

C# .Net Validate a certificate against a X509Certificate2Collection; NOT the global sore

1 Answers1