3

I am using smart card to authenticate the user. I have a authentication service (SecurityTokenService) which handles the authentication logic on the server.

I am using X509Certificate2.Verify() to validate the certificate. Since this API can check if the certificate is valid/revoked by going online and contacting Certification Authority (CA), do I need root certificate on the server?

Can we avoid having root certificate on our local computer? Or root certificate is always mandatory?

Learner
  • 4,661
  • 9
  • 56
  • 102

1 Answers1

5

I tried a few things and here are the observations:

  1. First of all X509Certificate2.Verify() does not check if all the certificates in chain are revoked. From this post I came to know that Verify method internally uses Crypt32 CertVerifyCertificateChainPolicy function. The documentation for it says that it does not perform certificate revocation checking. In short, the Verify method just checks if the certificate for which it's called, is revoked or not.

  2. Regarding root certificate :

    • If you are using X509Certificate2.Verify() and root cert is absent, then the method will outrightly return false. So with this method root certificate is absolutely required.
    • If you are using X509Chain to build the trust chain, then you can decide whether to exclude root certificate revocation or whether to go online/offline to verify revocation status of the certificates.
    • However, whether you go online or not, or you exclude root certificate or not, you get the PartialChain value in the ChainStatus if the root certificate is missing. So to build the full trust chain, you need a root certificate on your machine.

Hope this helps someone who wants to know a little more about certificate validation in C#.

Learner
  • 4,661
  • 9
  • 56
  • 102
  • Strange answer CSharpLearner: most of the time you don't explicitly need to validate to a *root* certificate, what you need is a chain that is *explicitly trusted*. Normally you only trust root certs on a system, but you might as well trust any intermediate certificate or end user certificate instead. That does not mean that this answer is wrong *for this particular framework*, but it certainly does not hold true for other frameworks... – Maarten Bodewes Apr 14 '12 at 11:00
  • @owlstead : Thanks for your comment; it's helpful. What I have posted is my observation after a few trials. If the valid root cert is present on your machine, then you get absolutely correct validation without messages/status like `PartialChain`. Having said this, whether someone wants to validate the whole chain (including root cert) or not is the matter of requirement and choice. Just out of curiosity : What if root cert itself gets revoked? Or is it something that is impossible? If no, should not we validate root cert as well? – Learner Apr 16 '12 at 04:35
  • Normally you only revoke certificates using the serial number; self signed (root) certificates are normally handled "out of band" - this includes revoking the certificate. In a good CA structure, the private key of the root certificate is only used now and then to create new CA's, and to create a CRL for those now and then. somewhere. So the chances of it being compromised should be pretty slim. – Maarten Bodewes Apr 16 '12 at 10:07