X509Chain.Build call returns false with error as PartialChain

Question

Hello,

I am having a WPF application that launches some exe(this exe is also my another application) . Before doing that I validate the certificate associated with the exe. The exe is signed with a DigiCert certificate and if we see the certificate from windows properties of this exe. We can see three certificates one root, one intermediate and leaf certificate.

My WPF application uses X509Chain.Build function to validate the certificate. This call returns false and an error, PartialChain for the intermediate certificate. If I install the certificate manually then this call succeeds. If the intermediate certificate is missing in the certificate store, then this error is seen. My question is - This Build API expects the certificate to be installed on machine ? If yes, do I need to distribute the certificates to my users so that they install and my usecase runs fine ?
What is the .Net way of validating a certificate ?

Thanks,
Anant

Answer 1

Hi @Hui Liu-MSFT

Thanks for the revert.
Yes my certificate comes from DigiCert - https://www.digicert.com/kb/digicert-root-certificates.htm#intermediates
Why MS does not bundle all the certificates from trusted CA in Windows ?

The user in the question has added the root certificate to extra store before building the chain. Hence it is succeeding.
In my case the leaf has a link to intermediate certificate as well as the root certificate. We can very well export all the certificates. And all the certificates are valid. Do not understand why Build API expects all the certificates to be installed in store.