问题
I am using smart card to authenticate the user. I have a authentication service (SecurityTokenService) which handles the authentication logic on the server.
I am using X509Certificate2.Verify() to validate the certificate. Since this API can check if the certificate is valid/revoked by going online and contacting Certification Authority (CA), do I need root certificate on the server?
Can we avoid having root certificate on our local computer? Or root certificate is always mandatory?
回答1:
I tried a few things and here are the observations:
First of all
X509Certificate2.Verify()does not check if all the certificates in chain are revoked. From this post I came to know that Verify method internally uses Crypt32 CertVerifyCertificateChainPolicy function. The documentation for it says that it does not perform certificate revocation checking. In short, the Verify method just checks if the certificate for which it's called, is revoked or not.Regarding root certificate :
- If you are using
X509Certificate2.Verify()and root cert is absent, then the method will outrightly returnfalse. So with this method root certificate is absolutely required. - If you are using X509Chain to build the trust chain, then you can decide whether to exclude root certificate revocation or whether to go online/offline to verify revocation status of the certificates.
- However, whether you go online or not, or you exclude root certificate or not, you get the PartialChain value in the ChainStatus if the root certificate is missing. So to build the full trust chain, you need a root certificate on your machine.
- If you are using
Hope this helps someone who wants to know a little more about certificate validation in C#.
来源:https://stackoverflow.com/questions/10100403/do-we-need-root-certificate-installed-on-the-machine-always