X509Certificate2 Verify method fails on valid certificate…

I’m using a the .NET X509Certificate2 Verify method to verify that a file was validly signed with my code signing certificate.  I ran into one machine that this check was failing on (while it worked on all the other machines on the same network) and beat my head against it for 2 hours trying to figure out why.

Turns out that if the date/time on a machine is off by a certain amount (in this case it was about a day) it causes the certificate validation to fail (apparently relates to the revocation check).  Hopefully this will save someone some time in the future.

For reference here is how I’m preforming the validation of the signature on the file (as an example args[0]) – I additionally check that the subject matches my certificate using the cert2.Subject property.

X509Certificate cert = X509Certificate.CreateFromSignedFile(args[0]);
X509Certificate2 cert2 = new X509Certificate2(cert);
Console.Out.WriteLine("Is Signed File Valid? Verify=" + cert2.Verify());

If you need more information about the chain or failures of the check you can use code outlined here on MSDN for the X509Chain.  For this particular error, it didn’t help – just said “The revocation function was unable to check revocation for the certificate.” and “The revocation function was unable to check revocation because the revocation server was offline.”

Supposedly you can configure how strict the checks are (whether it checks for revocations, whether it errors out if certificates are expired, etc) with the X509Chain.ChainPolicy, but I wasn’t having much luck with it.  I couldn’t get it to validate iexplore.exe (IE8 for win7) presumably because the code signing cert used has now expired.

Advertisements

Tags: ,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: