2

I want to create an X509 certificate for testing purposes. This certificate has to be shared by 3 developers on their local machines (i.e. all share the same certificate so we can use the same thumbprint).

So the private key in this certificate has to be exportable.

I create a certificate with the following command:

makecert -r -pe -n "CN=mytestsite.local" -b 01/01/2000 -e 01/01/2036 -ss my -sr localMachine -sky exchange localhost.cer

This certificate works fine, but the trouble is that the isValid argument has to be false when calling Certificates.Find...

        var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);

        var cert = store.Certificates.Find(
                                X509FindType.FindByThumbprint,
                                Config.PdfCertificateThumbprint, 
                                false  //********************* This has to be false.
                              ).OfType<X509Certificate>().FirstOrDefault();

As soon as I set that IsValid property to True, my certificate is no longer returned by the Find method. Why would makecert generate an "invalid" certificate? Or how do I figure out why the certificate is deemed invalid?

willem
  • 25,977
  • 22
  • 75
  • 115
  • 3
    Because it's not trusted (that is the certificate chain does not end in a certificate installed in the certificate store)? – lc. Jan 21 '13 at 11:07

2 Answers2

8

Well, it's because it's not issued by a "Trusted Certificate Authority" like the "real" ssl certificates used on the internet. (for example issued by VeriSign)

What you can do locally to work is to add the certificate manually in the Trusted Certificates for your user and/or local machine. But this procedure must be done for everyone using it until you will obtain a valid SSL certificate issued by a CA (certificate authority).

But your question points to the scenario where it's for dev purposes only so what you can do is either manually add the certificate to Trusted or you can override the certificate validation mechanism in .Net and write code that will consider your certificate valid.

dutzu
  • 3,883
  • 13
  • 19
  • Great, thanks a mil. I'll try adding to the Trusted Certificate store. – willem Jan 21 '13 at 13:25
  • Before I do this... there are a couple of "trusted" certificate folders. Do you mean add the certificate to the "Trusted Root Certification Authorities" category? – willem Jan 21 '13 at 13:27
  • Yup, from experience it also works if you add it to Trusted People – dutzu Jan 21 '13 at 13:44
  • @willem please keep in mind it might be a good ideea to add it both on the Local Computer and on the current User – dutzu Jan 21 '13 at 13:44
0

You might want to experiment with the following setting that can be used in client config to bypass the certificate validation process:

    <serviceCertificate>
      <authentication certificateValidationMode="None"
                      revocationMode="NoCheck" />
    </serviceCertificate>
Tanner
  • 22,205
  • 9
  • 65
  • 83