stackoom
  简体   繁体   中英

Distinguish between Root CA and Intermediate CA Certificate

 原文  2019-07-04 10:42:04       c#/ ssl/ .net-core/ x509certificate2

Question

I have managed to figure out if a cert in a x509Certificate2Collection is a certificate authority cert but how can I safely determine if it's a Root cert or an Intermediate cert please? Is the following safe enough?

var collection = new X509Certificate2Collection();
collection.Import("test.pfx", "password", X509KeyStorageFlags.PersistKeySet);

foreach (X509Certificate2 cert in collection)
{
    var basicConstraintExt = cert.Extensions["2.5.29.19"] as X509BasicConstraintsExtension;
    if (basicConstraintExt != null)
    {
        Log.Debug($"    Subject is: '{cert.Subject}'");
        Log.Debug($"    Issuer is: '{cert.Issuer}'");
        if (basicConstraintExt.CertificateAuthority)
        {
            Log.Debug("I am a CA Cert.");
            if (cert.Subject == cert.Issuer)
            {
                Log.Debug("My Subject matches Issuer.");
            }
            else
            {
                Log.Debug("My Subject does not match Issuer.");
            }
            Log.Debug(cert.Verify() ? "I verify" : "I do not verify");
        }
        else
        {
            Log.Debug("I am not a CA Cert.");
        }
    }
}

Results:

 Displaying Cert #1 in collection
 ********************************

 Subject is: 'CN=Intermediate-CA, DC=test, DC=lan'
 Issuer is: 'CN=Root-CA, DC=test, DC=lan'
 - I am a CA Cert.
 - My Subject does not match Issuer.
 - I do not verify


 Displaying Cert #2 in collection
 ********************************

 Subject is: 'CN=Root-CA, DC=test, DC=lan'
 Issuer is: 'CN=Root-CA, DC=test, DC=lan'
 - I am a CA Cert.
 - My Subject matches Issuer.
 - I do not verify

1 answers

solution1
 1  2019-07-08 21:36:53

Not sure if this helps with Kestrel, but I would try the code below.

We will use X509Chain class to construct and validate the chain.

var collection = new X509Certificate2Collection();
collection.Import("test.pfx", "password");

var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(collection);
// untrusted root error raise false-positive errors, for example RevocationOffline
// so skip possible untrusted root chain error.
chain.VerificationFlags |= X509VerificationFlags.AllowUnknownCertificateAuthority;
// revocation checking is client's responsibility. Skip it.
chain.RevocationMode = X509VerificationFlags.NoCheck;
// build the chain.
Boolean isValid = chain.Build(collection[0]);
// explore chain.ChainElements collection. First item should be your leaf
// certificate and last item should be root certificate

All this stuff is located in System.Security.Cryptography.X509Certificates namespace. In this code piece, I'm assuming that first certificate in PFX is leaf certificate (it is in 99% cases unless someone tries to ignore standards). By exploring chain.ChainElements collection, you can find issues with every certificate in the chain.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question C# generate intermediate certificate from self signed Root CA How to get and install a root CA certificate Digitally sign using root CA from certificate file in .NET How to validate a certificate chain from a specific root CA in C# Why is my certificate not valid unless I put the Sub CA certificate in the trusted root certificate authorities? Correct way of loading SSL certificate signed by Intermediate CA in Kestrel .NET Core Pades LTV verification in iTextSharp throws Public key presented not for certificate signature for root CA certificate C# X509 certificate validation, with Online CRL check, without importing root certificate to trusted root CA certificate store Using custom root CA with HttpClient C# How can I validate a Root-CA-Cert certificate (x509) chain?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM