Archive for April, 2010

X509Certificate2 Verify method fails on valid certificate…

April 8, 2010

I’m using a the .NET X509Certificate2 Verify method to verify that a file was validly signed with my code signing certificate.  I ran into one machine that this check was failing on (while it worked on all the other machines on the same network) and beat my head against it for 2 hours trying to figure out why.

Turns out that if the date/time on a machine is off by a certain amount (in this case it was about a day) it causes the certificate validation to fail (apparently relates to the revocation check).  Hopefully this will save someone some time in the future.

For reference here is how I’m preforming the validation of the signature on the file (as an example args[0]) – I additionally check that the subject matches my certificate using the cert2.Subject property.

X509Certificate cert = X509Certificate.CreateFromSignedFile(args[0]);
X509Certificate2 cert2 = new X509Certificate2(cert);
Console.Out.WriteLine("Is Signed File Valid? Verify=" + cert2.Verify());

If you need more information about the chain or failures of the check you can use code outlined here on MSDN for the X509Chain.  For this particular error, it didn’t help – just said “The revocation function was unable to check revocation for the certificate.” and “The revocation function was unable to check revocation because the revocation server was offline.”

Supposedly you can configure how strict the checks are (whether it checks for revocations, whether it errors out if certificates are expired, etc) with the X509Chain.ChainPolicy, but I wasn’t having much luck with it.  I couldn’t get it to validate iexplore.exe (IE8 for win7) presumably because the code signing cert used has now expired.