X509Chain.Build call returns false with error as PartialChain

Anant 1 Reputation point
2021-11-25T13:12:31.12+00:00

Hello,

I am having a WPF application that launches some exe(this exe is also my another application) . Before doing that I validate the certificate associated with the exe. The exe is signed with a DigiCert certificate and if we see the certificate from windows properties of this exe. We can see three certificates one root, one intermediate and leaf certificate.

My WPF application uses X509Chain.Build function to validate the certificate. This call returns false and an error, PartialChain for the intermediate certificate. If I install the certificate manually then this call succeeds. If the intermediate certificate is missing in the certificate store, then this error is seen. My question is - This Build API expects the certificate to be installed on machine ? If yes, do I need to distribute the certificates to my users so that they install and my usecase runs fine ?
What is the .Net way of validating a certificate ?

Thanks,
Anant

Windows Presentation Foundation
Windows Presentation Foundation
A part of the .NET Framework that provides a unified programming model for building line-of-business desktop applications on Windows.
2,184 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Anant 1 Reputation point
    2021-11-26T10:05:25.12+00:00

    Hi @Hui Liu-MSFT

    Thanks for the revert.
    Yes my certificate comes from DigiCert - https://www.digicert.com/kb/digicert-root-certificates.htm#intermediates
    Why MS does not bundle all the certificates from trusted CA in Windows ?

    The user in the question has added the root certificate to extra store before building the chain. Hence it is succeeding.
    In my case the leaf has a link to intermediate certificate as well as the root certificate. We can very well export all the certificates. And all the certificates are valid. Do not understand why Build API expects all the certificates to be installed in store.

    No comments