Reputation: 1132
TLS in .NET - Third Party Root CA not recognized as Trusted Root CA
I am trying to establish a TLS connection between my .NET application and a website that I have Third-Party Root CA certificate and Intermediate CA certificate installed for:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
var handler = new WebRequestHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual
};
handler.ClientCertificates.Add(someClientCertificate);
var httpClient = new HttpClient(handler);
httpClient.DefaultRequestHeaders.AcceptCharset.Add(new StringWithQualityHeaderValue("utf-8"));
httpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var httpResponseMessage = httpClient.GetAsync("https://somewebsite.com").Result;
When I try that, I get the following error during server certificate validation:
(PartialChain) A certificate chain could not be built to a trusted root authority.
When I install the root CA certificate into the Trusted Root CA store the error disappears.
What's the reason for that behavior? From what I've read (see https://security.stackexchange.com/questions/140211/whats-the-difference-between-trusted-root-certification-authorities-and-thir), I've got an impression that the Third-Party Root CA store is basically just a subset of the Trusted Root CA store so the chain should be built successfully.
Note that installing the root CA certificate to the Trusted Root CA store is not an option for me.
Upvotes: 0
Views: 675
Answers (1)
Reputation: 33098
For reasons that I've never understood, the CurrentUser\ThirdPartyRoot store appears to have no function. At least, it isn't linked in to the chain builder trust decisions in an analagous way to LocalMachine\ThirdPartyRoot.
http://kreelbits.blogspot.com/2014/02/whats-purpose-of-users-third-party-root.html has a bit of a rant-of-self-discovery which shows how the backing implementation of the CurrentUser\Root store is structured differently than LocalMachine\Root. One infers from this that the "Root" (not "ThirdPartyRoot") store is the only one actually utilized in trust decisions (LM\ThirdPartyRoot gets included via the store link).
Upvotes: 1
Related Questions
- Trusted Root Certificates in DotNet Core on Linux (RHEL 7.1)
- ASP.NET Core fail to create root certificate
- Using Trusted Root Certification Authorities for server certificate validation in HttpClient
- C# and dotnet 4.7.1 not adding custom certificate for TLS 1.2 calls
- Why's My Root Certificate Not Trusted?
- HttpWebRequest: Could not establish Trust Relationship for SSL - Self Signed Certificate already added to Trusted Root CA
- Could not establish trust relationship for the SSL/TLS secure channel with subject alternative name certificate
- Could not establish trust relationship for the SSL/TLS secure channel
- Why is my certificate not valid unless I put the Sub CA certificate in the trusted root certificate authorities?
- Adding certificate to trusted root authority