system.security.cryptography.x509certificates can not verify

Question

Facing a really strange issue X509Certificate2.Verify() returning false for a valid certificate. Maybe some has already faced this strange scenario before and can shine some light on it.

I am using makecert to generate client certificates for testing purposes , it work fine and i can read the certificates .... But the verify function always return false , I write this on cmd :

makecert -r -pe -n "client1" -b 01/01/2005 -e 01/01/2020 -sky exchange -ss certifcat

when I write :

 X509Certificate2 x509_2 = LoadCertificate(StoreLocation.CurrentUser, "client1");
Console.WriteLine("Verify " + x509_2.Verify()); // the output : false

can any body help ?

EDIT : the output of certutil -verify D:\test.cer :

Issuer:
    CN=WWW.AGGREGATEDINTELLIGENCE.COM
  Name Hash(sha1): 553fd856f55d46239156546a1693dd5e160f0eed
  Name Hash(md5): dec1c115101d31de7502eee9fb7e6e4b
Subject:
    CN=WWW.AGGREGATEDINTELLIGENCE.COM
  Name Hash(sha1): 553fd856f55d46239156546a1693dd5e160f0eed
  Name Hash(md5): dec1c115101d31de7502eee9fb7e6e4b
Cert Serial Number: 8aa4007cd7a02e8045301ccb11369bb2

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=109 dwErrorStatus=20
  Issuer: CN=WWW.AGGREGATEDINTELLIGENCE.COM
  NotBefore: 1/1/2005 12:00 AM
  NotAfter: 1/1/2020 12:00 AM
  Subject: CN=WWW.AGGREGATEDINTELLIGENCE.COM
  Serial: 8aa4007cd7a02e8045301ccb11369bb2
  Cert: c6388297376cfde5742b3bd2a217ba1c728bc005
  Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

Exclude leaf cert:
  Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
  Chain: c6388297376cfde5742b3bd2a217ba1c728bc005
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

score 2 · Accepted Answer · edited Dec 14 '16 at 18:20

2

There are two things to consider:

Stop using deprecated makecert.exe. Instead, you should consider using the New-SelfSignedCertificate PowerShell cmdlet to generate test certificates.
The problem is that the certificate is not issued by a trusted authority. You have to install a copy of the certificate to LocalMachine\Root store.

edited Dec 14 '16 at 18:20

Cody Gray - on strike

239,200
50
490
574

answered Dec 14 '16 at 16:44

Crypt32

12,850
2
41
70

how i can do to install a copy of the certificate to LocalMachine\Root ?? I follow this steps but it did not work : https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx – code Dec 15 '16 at 15:22
export your certificate to CER file and run the following command: `certutil -verify path\certfile.cer` and post the output in your question. – Crypt32 Dec 15 '16 at 17:08
I do what you want and the output in my question above ... but when i run the project the verfiy give me false – code Dec 15 '16 at 19:53
it appears that you didn't install the certificate to `LocalMachine\Root` store. Try to add it by running the following command in elevated cmd shell: `certutil -f -addstore Root path\certfile.cer`. Replace path and file name with actual values. – Crypt32 Dec 15 '16 at 20:15

system.security.cryptography.x509certificates can not verify

1 Answers1