0

Facing a really strange issue X509Certificate2.Verify() returning false for a valid certificate. Maybe some has already faced this strange scenario before and can shine some light on it.

I am using makecert to generate client certificates for testing purposes , it work fine and i can read the certificates .... But the verify function always return false , I write this on cmd :

makecert -r -pe -n "client1" -b 01/01/2005 -e 01/01/2020 -sky exchange -ss certifcat

when I write :

 X509Certificate2 x509_2 = LoadCertificate(StoreLocation.CurrentUser, "client1"); Console.WriteLine("Verify " + x509_2.Verify()); // the output : false

can any body help ?

EDIT : the output of certutil -verify D:\test.cer :

Issuer: CN=WWW.AGGREGATEDINTELLIGENCE.COM Name Hash(sha1): 553fd856f55d46239156546a1693dd5e160f0eed Name Hash(md5): dec1c115101d31de7502eee9fb7e6e4b Subject: CN=WWW.AGGREGATEDINTELLIGENCE.COM Name Hash(sha1): 553fd856f55d46239156546a1693dd5e160f0eed Name Hash(md5): dec1c115101d31de7502eee9fb7e6e4b Cert Serial Number: 8aa4007cd7a02e8045301ccb11369bb2 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) CertContext[0][0]: dwInfoStatus=109 dwErrorStatus=20 Issuer: CN=WWW.AGGREGATEDINTELLIGENCE.COM NotBefore: 1/1/2005 12:00 AM NotAfter: 1/1/2020 12:00 AM Subject: CN=WWW.AGGREGATEDINTELLIGENCE.COM Serial: 8aa4007cd7a02e8045301ccb11369bb2 Cert: c6388297376cfde5742b3bd2a217ba1c728bc005 Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) Exclude leaf cert: Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709 Full chain: Chain: c6388297376cfde5742b3bd2a217ba1c728bc005 ------------------------------------ Verified Issuance Policies: All Verified Application Policies: All Cannot check leaf certificate revocation status CertUtil: -verify command completed successfully.
Improve this question

1 Answer 1

Reset to default
2

There are two things to consider:

  1. Stop using deprecated makecert.exe. Instead, you should consider using the New-SelfSignedCertificate PowerShell cmdlet to generate test certificates.

  2. The problem is that the certificate is not issued by a trusted authority. You have to install a copy of the certificate to LocalMachine\Root store.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

how i can do to install a copy of the certificate to LocalMachine\Root ?? I follow this steps but it did not work : technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx
export your certificate to CER file and run the following command: certutil -verify path\certfile.cer and post the output in your question.
I do what you want and the output in my question above ... but when i run the project the verfiy give me false
it appears that you didn't install the certificate to LocalMachine\Root store. Try to add it by running the following command in elevated cmd shell: certutil -f -addstore Root path\certfile.cer. Replace path and file name with actual values.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.