how to validate a user certificate?

I have one root certificate and one user certificate of this root. I do not want to use the registry. I added the user certificate into the chain. So how do i add the root into the chain and validate the user certificate?

As you probably have noticed, the CertificateChain class has two constructors. One of the constructors has two parameters - a Certificate and a CertificateStore instance. You can use this second parameter to pass a CertificateStore that contains your root CA certificate and any intermediate certificate.

In your case, you could use the following code: [warning: I haven't tested the code, so it may not compile as is]

Certificate user = ...;
Certificate root = ...;

CertificateStore rootstore = new CertificateStore();
rootstore.AddCertificate(root);

CertificateChain chain = new CertificateChain(user, rootstore);

// at this point, chain is a variable that
// holds a reference to a CertificateChain
// of the user Certificate

//verify the chain:
string server_common_name = "www.domain.com";
CertificateStatus status = chain.VerifyChain(server_common_name, AuthType.Server);

// 'status' contains the validation status
// of the certificate
// CertificateStatus.ValidCertificate means
// that the validation was successful;
// anything else means there was
// a problem with the certificate

thank you for your reply but there is a problem.

and when I use this code, it gives me the untrustedRoot error.

my whole code is:

Certificate cert = ..;
Certificate root = ..;
Certificate subRoot = ..;

CertificateStore rootstore = new CertificateStore();
rootstore.AddCertificate(root);
rootstore.AddCertificate(subRoot);

CertificateChain chain = new CertificateChain(user, rootstore);
chain.VerifyChain(null, AuthType.Client);

so it gives me the untrustedRoot error.

what am I wrong?

sorry I mistyped at my previous reply. this reply is correct.

thank you for your reply but there is a problem.

and when I use this code, it gives me the untrustedRoot error.

my whole code is:

Certificate cert = ..;
Certificate root = ..;
Certificate subRoot = ..;

CertificateStore rootstore = new CertificateStore();
rootstore.AddCertificate(root);
rootstore.AddCertificate(subRoot);

CertificateChain chain = new CertificateChain(cert, rootstore);
chain.VerifyChain(null, AuthType.Client);

so it gives me the status CertificateStatus.UnTrustedRoot.

where am I wrong?

Your system _only_ trusts root CAs that have their certificate in the ROOT certificate store, so you first have to install that CA certificate in the ROOT store.
Note that, once you've installed that certificate, most -if not all- Windows programs using SSL or TLS on your computer will trust certificates from that certificate authority, so use it with caution.

Installing certificates goes as follows:

Certificate rootca_cert = ...;
// open the ROOT store
CertificateStore cs = new CertificateStore(CertificateStore.RootStore);
// install the certificate
cs.AddCertificate(rootca_cert);


Alternatively, you can verify the certificate chain and tell it to skip the root CA check. This is the suggested approach if you're using a test CA, but it should not be used anymore once you release the software.
You can use the 'flags' parameter from one of the VerifyChain overloads to accomplish this.

thank you so much for your complete & quick answers.

there is still a problem.

I just put the root into rootStore. And I do not put the subRoot into the CA store. But still my certificate is shown as valid where actually it should not.

************************************

And let's forget about the system stores. What i want to do is so simple and exactly the following:

CertificateStore store = new CertificateStore();
store.AddCertificate(rootCert);
store.AddCertificate(subRootCert);

CertificateChain cc = new CertificateChain(userCert,store);

CertificateStatus status = cc.VerifyChain(null, AuthType.Client, /*verification flags*/);

what is the "verification flags" parameter exactly in order to get a status.valid?(allowTestRoot, trustTestRoot,etc...)

>I just put the root into rootStore. And I do not put the subRoot
>into the CA store. But still my certificate is shown as valid
>where actually it should not.

This is normal and correct behavior. Only the root certificate should be in the ROOT store; the sub-roots do not have to be in the ROOT store to validate a certificate.

>what is the "verification flags" parameter exactly in order to get
>a status.valid?(allowTestRoot, trustTestRoot,etc...)

I think it's the VerificationFlags.AllowUnknownCA value you want.

Dear Sir,

I have one root certificate which signed the sub-root certificate. And this sub-root certificate signed my userCert.

>>I just put the root into rootStore. And I do not put the subRoot
>>into the CA store. But still my certificate is shown as valid
>>where actually it should not.

>This is normal and correct behavior. >Only the root certificate should be in >the ROOT store; the sub-roots do not >have to be in the ROOT store to >validate a certificate.

This is not normal. One can not verify a user certificate wihout sub-root. In windows root certificates is in rootStore and the subRoots are in CA store. Without sub-root, this certificate is invalid even if you have the root. You must have the root and the subroot both to verify this cert.

I have rootCert, subRootCert and the userCert all in byte[] form in my program (in a hard coded way). I do not want to use the registry or any store. I can use temporary stores in memory. As a result, what must be the value of the verification flags in order to verify the userCert?

Thank you in advance

> This is not normal. One can not verify a user certificate wihout
> sub-root.

From reading your previous posts, I'm under the impression that the subroot certificate and the client certificate were stored in the same memory store. This is fine and will cause the client certificate validation to succeed.
In order to validate a certificate, the following conditions must be met:
- the entire certificate chain from client certificate up to the root certificate must be reconstructed
- the root certificate must be in the ROOT store

It doesn't matter where the subroot certificates are, as long as they can be found.

So, the come back to your remark in your previous post, you said that the certificate chain validated correctly even though the subroot certificate was not in the CA store. Again, this is normal and correct behavior. The only requirement is that the root certificate is present in the ROOT store.
There are no requirements for the subroot certificates as long as they can be found and they're valid.

> I do not want to use the registry or any store. I can use
> temporary stores in memory. As a result, what must
> be the value of the verification flags in order to
> verify the userCert?

Have you tried the value I suggested in my previous post: VerificationFlags.AllowUnknownCA ?

Hi,
if I have more than one web certificate, how can I
know on client, which certificate I have chosen ? I
need that information for my client application.
Can you help me ?
Regards
Daca