0

I have a List of X509Certificate2, that I want to validate. I want to verify the following:

  • That non of the certificates have expired
  • That the root certificate is trusted, if that is possible to check
  • That each certificate(except root) is issued by the previous certificate

And also, if possible, check if root certificate is downloaded on the running server/machine.

public bool isValid(List<X509Certificate2> certificates)
{
   //Verify that:
   // - That non of the certificates have expired
   // - That the root certificate is trusted, if that is possible to check
   // - That each certificate(except root) is issued by the previous certificate
   // - And if possible, check if root certificate is downloaded on the running server/machine
}

So, the example input would be:

         SOME ROOT CERTIFICATE
                   |
 SOME SECOND CERTIFICATE ISSUED BY ROOT
                   |
CERTIFICATE ISSUED BY SECOND CERTIFICATE

Can someone help me out with this?

jon
  • 1
  • Have you tried [`X509Chain.Build`](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chain.build?view=net-6.0)? – Charlieface Oct 23 '22 at 21:18
  • Charlieface, yes, I have tried it, but I struggle to understand how I can define a X509Policy that does performs this validations? Do you know how to do it? – jon Oct 24 '22 at 06:52
  • This answer maybe? https://stackoverflow.com/a/7332193/14868997 – Charlieface Oct 24 '22 at 09:02
  • So, the X509Chain.Build will check that non of the certificates are expired, and that each certificate is issued by the next certificate in the chain? – jon Oct 24 '22 at 10:28
  • Not quite. It will verify that the certificate you give it are valid, and it may use system root CAs for that, and you can add intermediate or root certificates using `chain.ChainPolicy.ExtraStore`. But it's a bit more difficcult to check that the chain is actually complete (and not being augmented automatically by the system), you may have to do that manually, – Charlieface Oct 24 '22 at 10:37

0 Answers0