C# check whether X509Certificate is disabled for one/all purpose(s)

Question

Certificates has been deployed like "Root CA" -> "Intermediate CA" -> "End certificate". If I disable all purposes of the "Root CA" certificate, whether I will be able to use the end certificate. how do I check the status programmatically. Honestly I don't know what those radio buttons serve in the certificate properties and how/where to check its effect?

Disabled the certificate purpose by "mmc.exe" -> Add/Remove snap in -> certificates -> local machine -> Trusted root certification authorities-> ROOT CA, right click properties -> Choose disable all purposes of this certificate.

Please help.

Answer 1

whether I will be able to use the end certificate

If application asks certificate chaining engine to verify the chain for a specific EKU OID, you will see an error returned (CERT_E_WRONG_USAGE) and certificate is invalidated. There are scenarios when applications do not require specific EKU validity through the entire chain and look whether the specified EKU is presented in the certificate under validation (for example, when validating OCSP signing certificates). In this case, these settings won't affect certificate validation.

how/where to check its effect?

if you want to read these settings programmatically, then you will have to use some interop and call CertGetCertificateContextProperty native function and pass CERT_ENHKEY_USAGE_PROP_ID as a parameter for PropID argument. I don't have c# code, but some time ago I posted a PowerShell code that reads these properties: How to retrieve certificate purposes property with CryptoAPI and PowerShell