X509Certificate2.Verify() returns false always

Question

Facing a really strange issue X509Certificate2.Verify() returning false for a valid certificate. Maybe some has already faced this strange scenario before and can shine some light on it.

I am using openssl to generate client certificates for testing purposes. I create a Root CA and generate a client certificate based on that Root CA and add the Root CA to its chain.

I load the Root CA and the Client Cert to the local certificate store and it seems ok there but when I load it from my NUnit code to test X509Certificate2.Verify() always returns false.

enter image description here

Here is the code to load the Cert from the store:

        X509Store store = new X509Store(StoreName.My);
        string thumbprint = "60 d1 38 95 ee 3a 73 1e 7e 0d 70 68 0f 2d d0 69 1e 9a eb 72";
        store.Open(OpenFlags.ReadOnly);
        var mCert = store.Certificates.Find(
                                X509FindType.FindByThumbprint,
                                thumbprint,
                                true
                              ).OfType<System.Security.Cryptography.X509Certificates.X509Certificate>().FirstOrDefault();
        if(mCert != null)
        {
            var testClientCert = new X509Certificate2(mCert);
        }

Here is the Client Cert that I have just generated: (the CRL url is accessible from my local machine correctly)

And here is the CRL file that gets download when I access it from the browser:

There's a few questions relating to this, like this one: http://stackoverflow.com/questions/1277791/x509certificate2-validation-on-web-service Have you tried any of these yet? — weston, Feb 27 '15 at 09:25
@weston Yes, indeed. I checked the following link which seems to be like mine, http://stackoverflow.com/questions/10137208/x509certificate2-verify-method-always-return-false-for-the-valid-certificate?rq=1 but then I can access the CRL url in my client cert just fine from the browser and I am using Nunits tests which runs under the local Windows user account which I used to install the Cert and its RootCA to the current Cert store for this Windows user. — Deb, Feb 27 '15 at 09:41
please, export this certificate to a file and show us certutil command output: `certutil -verify -urlfetch \file.cer`. — Crypt32, Feb 27 '15 at 10:28
@CryptoGuy thank you very much for the answer - that was really helpful. I did what you asked and here is the output: [link to the screenshot of the certutil command output](http://imgur.com/nQxjPp5) — Deb, Mar 06 '15 at 10:20
Thanks, it is helpful, but not suffient. Please, update your post and include issuer certificate. — Crypt32, Mar 06 '15 at 11:46

score 40 · Answer 1 · answered Feb 27 '15 at 11:27

40

According to the X509Certificate2.Verify documentation

This method builds a simple chain for the certificate and applies the base policy to that chain. If you need more information about a failure, validate the certificate directly using the X509Chain object.

Therefore I would try to build chain using this code (replace Log method with your own implementation, I was using Console.Writeline)

X509Chain chain = new X509Chain();

try
{
    var chainBuilt = chain.Build(testClientCert );
    Log(string.Format("Chain building status: {0}", chainBuilt));

    if (chainBuilt == false)
        foreach (X509ChainStatus chainStatus in chain.ChainStatus)
            Log(string.Format("Chain error: {0} {1}", chainStatus.Status, chainStatus.StatusInformation));
}
catch (Exception ex)
{
    Log(ex.ToString());
}

This code will tell you the reason why the certificate could not be verified. If you need to adjust chain policy then set chain.ChainPolicy property i.e.

chain.ChainPolicy = new X509ChainPolicy()
{
    RevocationMode = X509RevocationMode.NoCheck,
    VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid,
    UrlRetrievalTimeout = new TimeSpan(0, 1, 0)
};

answered Feb 27 '15 at 11:27

pepo

8,644
2
27
42

Yes, true. But I first want to just do a basic check if the certificate is valid and then go onto checking the whole chain. I dont want to waste time on checking the whole chain (which by the way can be very big in my case) before the basic verification passes on the certificate which I think quite a simple and valid use case. – Deb Mar 06 '15 at 10:16
1

This code helped me figure out why Verify() was returning false. The chainStatus.StatusInformation returned the following: "The revocation function was unable to check revocation for the certificate." In your case, the status may be different, but I do believe that the above code is useful for troubleshooting. – user3308241 Mar 17 '16 at 18:27
4

@Deb Verify builds the whole chain, but throws it away. You may as well build it yourself (provided that you Dispose it (4.6) or call Reset on it (other) when done). – bartonjs Jul 06 '16 at 14:18
But the `chain.Build` always return true in mono. – sakiM Feb 06 '18 at 01:43

X509Certificate2.Verify() returns false always

1 Answers1

Linked