I want to validate chain of certificates, I get a X509Certificate2
collection and have to validate if all the certificates build one chain.
Usually, in order to verify the certificates chain I should take the digital signature from the leaf certificate and check if it is signed by the root certificate - but in .NET I can't find a way to extract the signature from the X509Certificate2
object.
Therefore, I thought of using X509Chain.Build()
method in the following way:
void ValidateChain(X509Certificate2Collection collection, X509Certificate2 leaf)
{
X509Chain x509Chain = new X509Chain();
x509Chain.ChainPolicy.ExtraStore.AddRange(collection);
bool isValid = x509Chain.Build(leaf);
}
But I have some questions about the build method:
ExtraStore
, how can I define this behaviour?I will so appreciate it if someone can explain to me how the Build()
method works.
You should use the ChainStatus value after the Build operation. MSDN:
The X509Chain object has a global error status called ChainStatus that should be used for certificate validation. The rules governing certificate validation are complex, and it is easy to oversimplify the validation logic by ignoring the error status of one or more of the elements involved. The global error status takes into consideration the status of each element in the chain.