6

I'm having issues using a client certificate to authenticate an HttpWebRequest. (The client certificate isn't being sent). After some investigation, this seems to be because the certificate isn't passing verification.

To narrow down the problem, I'm using this example from MSDN (It's bugged, see end of this question. Also make sure you have a reference to System.Security). It tells me that the verification is failing because it's unable to check the revocation status of the certificate (which makes sense, our CA doesn't have OCSP enabled) The certificates will be used in an offline deployment so it will never be able to check revocation anyway. Because of this, I want to disable the revocation check.

I've modified the example as follows

''~ line 29
ch.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck
ch.ChainPolicy.VerificationFlags =
    X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown Or
    X509VerificationFlags.IgnoreCtlSignerRevocationUnknown Or
    X509VerificationFlags.IgnoreEndRevocationUnknown Or
    X509VerificationFlags.IgnoreRootRevocationUnknown
ch.Build(certificate)
Console.WriteLine("Chain Information")
Console.WriteLine("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag)
...

Which unfortunately still results in my certificate failing verification

Element issuer name: [Obfuscated]
Element certificate valid until: 20/11/2013 17:50:01
Element certificate is valid: False
Element error status length: 0
Element information:
Number of element extensions: 8

Note that without the flags specified above, I get error status length: 1 which is 64. The revocation function was unable to check revocation for the certificate.*****

So, clearly the flags are effecting something (I no longer get errors) but the certificate is not passing verification. Can someone explain why? Either I have another error that isn't being reported or I'm going about this in completely the wrong way.

*NB: There's a minor bug in the MSDN example ~ line 57. The for loop should check for element.ChainElementStatus.Length > 0 and then For index = 0 To element.ChainElementStatus.Length - 1. Otherwise, the certificate still fails but no reason is displayed irrespective of the flags used

Basic
  • 26,321
  • 24
  • 115
  • 201
  • Saw a similar issue here, might be worth a shot? http://stackoverflow.com/questions/6534836/x-509-chain-building-failed-when-connecting-to-the-appfabric – Yablargo Jul 10 '13 at 17:17
  • @Yablargo Sorry for the slow response, I've been away. Thanks for the suggestion - I've actually had to work around this but I'll give clearing the cache a spin to see if it resolves the problem when I get a chance. – Basic Jul 17 '13 at 22:23
  • It seems like X509VerificationFlags.AllowUnknownCertificateAuthority flag is missing to verify the certificate in your case – Boogier Mar 31 '17 at 10:55
  • @Boogier Why do you say that? (That is... Why would we need to allow unknown CAs to use our own CA? We have all the appropriate CA Certs in the client cert store) – Basic Mar 31 '17 at 11:31

0 Answers0