Task:

It is required to check for validity all certificates in the root trusted certificate store, after digging into Google, found this option:

  • for each certificate to build X509Chain , the question arose of how this code works, or more precisely, how is the certificate validated?

      X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine); store.Open(OpenFlags.MaxAllowed); X509Certificate2Collection certificates = store.Certificates; foreach (X509Certificate2 cert in certificates) { X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; chain.Build(cert); ... bool revoked = false; foreach (X509ChainElement element in chain.ChainElements) { revoked = element.Certificate.Verify(); } }

There is also an option - I have an XML document that contains information on all the CAs I need, each CA has a certificate status and a url list on CRL files with certificate revocation lists, how can I read the list of revoked certificates from CRL file in C # and verify root certificate for this CRL file?

Looking for the best way to validate all root certificates (~ 700 pieces) written in C #

    1 answer 1

    You have two questions. The first is how it works, the second is looking for an algorithm / ready code. With the second I will not tell you, but for the time being I wrote about the COC / CLR - there was a revision of the question. It seems to me that as verified you have already understood.

    And yet a couple of words. Root certificates in Windows are either exploited by Microsoft itself, or playful hands with admin rights (system administrators, viruses). Do not worry about the root certificates of the Windows itself - they are removed and installed through windows update, and the corporation is closely monitoring this. But some kind of CA is a great evil.

    Well, how your code works - it checks online , not relying on the "yesterday's" (foul) SOS, and requests in real time. All certificates in the chain must be valid with a unexplored date, not listed in the COC.

    SOS by the way, do not download too often - they are all the same updated according to the regulations not every five minutes, but several times a day (may vary). And the load on the SOS server is always decent, and some would like to shoot.

    • Thanks for the answer, the question is, for, as you put it, "independent" certificates how the SOS is looked for. “Do not download SOS too often” - plans to start processing once every 48 hours - Andrey Ivoylov
    • See certificate field "CRL distribution addresses" - AK ♦