What are the cirteria WebRequest uses to validate the host certificate if it is a SSL connection?
Asked
Active
Viewed 189 times
1 Answers
0
The complete validation mechanism is described in the RFC 5280, section 6.
In brief:
Certificate validation is not a one-step process. It's a complex procedure that involves validation of certificate chain from the end-entity certificate (the one being validated) to CA certificate and up to the trusted root certificate. For each certificate in the chain the following steps are taken:
- Analyzing the certificate itself (values of different certificate fields and extensions)
- Checking certificate integrity with CA certificate
- Checking certificate revocation status in Certificate Revocation Lists and using OCSP protocol
As CRLs and OCSP responses are signed using certificates, those certificates are validated as well, giving us extra certificate chains.
So you end up validating not a single certificate, and not a chain of certificates, but a tree of certificates.
Eugene Mayevski 'Callback
- 45,135
- 8
- 71
- 121
-
Checking certificate integrity with CA certificate: Where does WebRequest() obtain the CA certificate from? – Nov 01 '13 at 10:36
-
@usario If you are talking about .NET, CA certificates either come from the remote side (the remote side sends not just the end-entity certificate but the certificate chain that can consist of two or more certificates) or are taken from Windows certificate storage (CA and ROOT storages). – Eugene Mayevski 'Callback Nov 01 '13 at 15:29