CODEWITHSUNDEEP
c#.netsslssl-certificate
Jonas Stawski
Jonas Stawski

Reputation: 6752

How to get Thumbprint or Public Key of Issuer Certificate?

We have created a self signed CA certificate which we use to sign other certificates for SSL purposes. These certificates will be installed in other servers which we do not have access to and will be strictly to communicate with other clients like mobile applications.

When these clients (written in .NET) make a request to the servers using HTTPS we get the "Invalid certificate received from server" error because the CA cert is not a trusted CA on that client.

We want to bypass this security using the ServicePointManager.ServerCertificateValidationCallback, but only if the certificate being used was signed by our CA certificate.

I can check the certificate.Issuer, but that can easily be spoofed by anyone. How can I get the Thumbprint or Public Key of the Issuer certificate of the invalid certificate? If I can get access to that I can easily compare it to the one I know is valid and ignore the certificate error and continue on with the request.

UPDATE

I think I am getting closer. It looks like what we're looking to do is not doable so went a slightly different direction.

Using the X509Chain we can verify whether the certificate is a child of the CA using the code below:

var caCert = new X509Certificate2(@"[path]\MyCA.cer");

var newChain = new X509Chain();
newChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
newChain.ChainPolicy.ExtraStore.Add(caCert);

var res = newChain.Build(certInQuestion);

Build() still returns false (as expected because the CA is not trusted on the client), but now newChain.ChainStatus[0].Status is returning UntrustedRoot. Based on my testing this means the chain validated because if I supply a different CA Certificate it fails with InvalidChain.

In conclusion, that tells me that if the Status is UntrustedRoot, the certificate was created with our CA certificate and thus it's valid, anything else it's a fake one!

Are my assumptions correct?

Upvotes: 12

Views: 9509

Answers (4)

user2088532
user2088532

Reputation: 1

Here are some links with info and some tools to generate free public and private keys:

https://www.igolder.com/pgp/

https://www.igolder.com/pgp/generate-key/

I think EJP's solution is the most acceptable. @EJP, can you give us some examples of applications that can help us become a "tiny CA".

Upvotes: 0

Alex Filipovici
Alex Filipovici

Reputation: 32581

It seems that a possible solution would be that you could email the certificate, according to this answer: https://stackoverflow.com/a/4473799/674700.

Upvotes: -1

user207421
user207421

Reputation: 311052

That's the wrong solution. You should install your self-signed certificate as a trusted CA certificate in all clients, or better still just get it signed by a CA that is already trusted. Don't write code for this.

Upvotes: 1

Andrew Connell
Andrew Connell

Reputation: 5337

I'm not entirely sure this this is what you're looking for but it might push you in the right direction. Here's a PowerShell script I use to find a cert that I just created and extracted using MAKECERT.EXE & CERTMGR.EXE:

# get certificate thumbprint
$appCertificate = Get-PfxCertificate -FilePath $certificateFullPath

Write-Host "  .. adding certificate to local machine root" -ForegroundColor Gray 
& $ExeCertManager /add $certificateFullPath /s /r localMachine root
Write-Host "  Certificate installed on local machine" -ForegroundColor Gray 

Write-Host "  .. exporting private key for certificate" -ForegroundColor Gray 
Get-ChildItem cert:\\localmachine\my | Where-Object {$_.Thumbprint -eq $appCertificate.Thumbprint} | ForEach-Object {
    $CertPfxName = (Get-Item -Path $certificateFullPath).BaseName
}

Upvotes: -1

Related Questions