EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TElX509CertificateValidator validation fails when it should not

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 08/24/2015 12:01:18
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38


I am using the TElX509CertificateValidator object with a TElSecureClient component in .Net. SBB version is

During the SSL handshake, the server sends me its certificate and also the issuer certificate. The TElX509CertificateValidator fails the validation with a Reason code of 64 (CA not authorized). Yet the issuer certificate's Key Usage is set for Digital signature, Certificate signing, and CRL signing.

So why would TElX509CertificateValidator be rejecting this issuer certificate? Is there something else it is looking for in the Key usage or other fields?


Posted: 08/24/2015 12:12:41
by Eugene Mayevski (EldoS Corp.)

Some certificates don't have their properties set properly (certain attributes must be set to critical and they are not).

Please try setting IgnoreCABasicConstraints and IgnoreCANameConstraints properties to true and see if this helps.

Sincerely yours
Eugene Mayevski
Posted: 08/24/2015 12:25:23
by Charlie Jimenez (Standard support level)
Joined: 08/14/2012
Posts: 38

Thanks for you quick reply.

Yes, changing those settings allowed the cert chain to be validated. I checked the issuer cert and although the Key usages are set as I stated, they are not marked critical, so maybe that's the problem.

Thanks again,




Topic viewed 1920 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!