DalSoft · July 10, 2019 13:37
diff --git a/ValidateCertificateChain.cs b/ValidateCertificateChain.cs
  private static bool ValidateCertificateChain(X509Certificate certificate)
  {
      var chain = new X509Chain();
      var root = new X509Certificate2("ca.cer"); // Root CA of Self signed cert
      var cert = new X509Certificate2(certificate);

      chain.Reset(); // Not sure is this is needed 
      chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreRootRevocationUnknown;
      chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; // Check with our own CA if the cert has been revoked
      chain.ChainPolicy.ExtraStore.Add(root); // Self signed Root CA

      if (!chain.Build(cert))
      {   // checking if the certificates chain failed, let check if it's just an UntrustedRoot error, that is expected for Self signed Root CA

          foreach (var chainStatus in chain.ChainStatus) // what is the status of each cert in the chain
          {
              if (chainStatus.Status == X509ChainStatusFlags.NoError)
                  continue; //Awesome this cert good was carry on.

              if (chainStatus.Status == X509ChainStatusFlags.UntrustedRoot)
              {
                  // Got you - Untrusted Root error can happen with a self signed cert because the Root CA isn't installed in the OS's CA Root Certificate Store
                  // Now just check it's the root CA we expect
                  var providedRoot = chain.ChainElements[chain.ChainElements.Count - 1]; // Root CA is last or something is broken
                  return root.Thumbprint == providedRoot.Certificate.Thumbprint; // Is expected Root CA
              }
          }

          return false; // Any other cert error other than X509ChainStatusFlags.UntrustedRoot
      }

      return true; // No errors at all 
  }
	private static bool ValidateCertificateChain(X509Certificate certificate)
	{
	var chain = new X509Chain();
	var root = new X509Certificate2("ca.cer"); // Root CA of Self signed cert
	var cert = new X509Certificate2(certificate);

	chain.Reset(); // Not sure is this is needed
	chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreRootRevocationUnknown;
	chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; // Check with our own CA if the cert has been revoked
	chain.ChainPolicy.ExtraStore.Add(root); // Self signed Root CA

	if (!chain.Build(cert))
	{ // checking if the certificates chain failed, let check if it's just an UntrustedRoot error, that is expected for Self signed Root CA

	foreach (var chainStatus in chain.ChainStatus) // what is the status of each cert in the chain
	{
	if (chainStatus.Status == X509ChainStatusFlags.NoError)
	continue; //Awesome this cert good was carry on.

	if (chainStatus.Status == X509ChainStatusFlags.UntrustedRoot)
	{
	// Got you - Untrusted Root error can happen with a self signed cert because the Root CA isn't installed in the OS's CA Root Certificate Store
	// Now just check it's the root CA we expect
	var providedRoot = chain.ChainElements[chain.ChainElements.Count - 1]; // Root CA is last or something is broken
	return root.Thumbprint == providedRoot.Certificate.Thumbprint; // Is expected Root CA
	}
	}

	return false; // Any other cert error other than X509ChainStatusFlags.UntrustedRoot
	}

	return true; // No errors at all
	}