4

I am trying to connect to a Mosquitto broker. The broker will have a ca.crt and a server.crt. My app will only have the ca.crt.

Upon connection the broker provides both ca.crt and server.crt (certificate chain). How can I validate both against the ca.crt which I already have? ca.crt and the one present on the client are the same.

Improve this question

1 Answer 1

Reset to default
3

Use the X509Chain class and put the ca.crt, loaded as X509Certificate2, onto the ExtraStore property of the ChainPolicy property.

var caCert = new X509Certificate2(".\\ca.crt");
var serverCert = new X509Certificate2(".\\server.crt");

X509Chain ch = new X509Chain();
ch.ChainPolicy.RevocationMode = X509RevocationMode.Online;
ch.ChainPolicy.ExtraStore = new X509Certificate2Collection(caCert);
ch.Build (serverCert);
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Unfortunately it does not work for me. Build return false. However, if I change the order (i.e. add the servercert to the ExtraStore and invoke ch.Build(caCert)) I get true as a result. I also get the X509Chain from the server (CA cert and server cert which were located on the server). When I Invoke X509Chain.Build(CA Cert from my own station) I also get true. Is any of the above an acceptable method of validation? I get the general idea but I don't understand why your code returns false.
There is a lot of information you can get from the X509Chain which will tell you why it returned false.
After some reading I changed the following parameters: 1. X509RevocationMode.NoCheck; as I have no way of checking the cert online or using CRL. The cert will be stored as a file or installed in windows certificate store. 2. X509VerificationFlags.AllowUnknownCertificateAuthority; as my cert is self signed.
So it works - without the online revocation checks - now as I assume. Glad to hear
When using ExtraStore, Build() will return false if the root certificate is not registered in the local certificate store. It will also look at other certificates already existing in the local certificate store as well, which may not be desired. If using .NET 5 and forward, the above can be avoided by using CustomTrustStore, see stackoverflow.com/a/78081044/593617

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.