mailing list archives
Validating SSL certificates
From: Erki Männiste <Erki.Manniste () nortal com>
Date: Wed, 4 Jul 2012 17:38:09 +0000
We are developing a software and it is going to be used offline. We have to somehow check if the user’s licence is
still valid and for that, we have decided to use X.509 certificates. So we would create a self-signed root CA and
inherit client certificates from that certificate. So in our program we are able to check if the client cert is still
valid (expiration date attributes) and also that the client cert is a leaf of our root CA. My first question is – is it
enough, moreover, is it a good idea?
I’ve been googeling around the internet but i have not found a good source that explains the magic behind this in less
than 100 pages. So i ask some more questions :
a) do i have to include the root CA also to the program to verify the chain or does the client certificate somehow know
who's it's root CA, so i could only hardcode the root CA's thumbprint for verification?
b) if i need the root CA, do i have to install it to certificate store to perform the validation or can i just use it?
It really wouldn't be a problem to store as a line of bytes to the database (without primary key), but the less the
better. I ask this because my validation code failed, when the root CA was not in trusted root store, but passed when
it was. Perhaps my code was wrong.
- Validating SSL certificates Erki Männiste (Jul 05)