0

Is there a way to see where exactly is the problem with digital certificate in Windows?

I have bought code signing certificate from CA and I am using it to sign ClickOnce application (using mage.exe) and signing process goes OK. But, when client is installing my ClickOnce application, the installer warns user that publisher is not verified. I got this to work with self-signed certificate. I would like to find out where exactly is the problem with this certificate from CA. Is there any way to "debug" a process of certificate validation (AFAIK that process is Authenticode).

Tomislav
  • 13
  • 1
  • 4

1 Answers1

0

Authenticode is only the type of signature.

Have you double clicked on the certificate that was used to create the signature. The Shell Extension for Windows Explorer might tell you whats wrong - e.g. Untrusted (root/issuer is not in Trusted Certificate Authorities Store), expired, revoked...

Digging deeper (CRL and OCSP): Revocation checking is done besed of Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP).

  1. Here is a white paper for Windows.

  2. Using .NET (C#)

X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
ch.Build (certificate);
Console.WriteLine ("Chain Information");
Console.WriteLine ("Chain revocation flag: {0}", ch.ChainPolicy.RevocationFlag);
Console.WriteLine ("Chain revocation mode: {0}", ch.ChainPolicy.RevocationMode);
Console.WriteLine ("Chain verification flag: {0}", ch.ChainPolicy.VerificationFlags);
Console.WriteLine ("Chain verification time: {0}", ch.ChainPolicy.VerificationTime);
Console.WriteLine ("Chain status length: {0}", ch.ChainStatus.Length);
Console.WriteLine ("Chain application policy count: {0}", ch.ChainPolicy.ApplicationPolicy.Count);
Console.WriteLine ("Chain certificate policy count: {0} {1}", ch.ChainPolicy.CertificatePolicy.Count, Environment.NewLine);

Source: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chain.build?view=netframework-4.8

  1. DigiCert offers a tool which is is helpful
Daniel Fisher lennybacon
  • 3,865
  • 1
  • 30
  • 38