EldoS | Feel safer!

Software components for data protection, secure storage and transfer

HTTPS Server - untrusted certificate

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#35652
Posted: 01/22/2016 11:05:49
by Markus  (Basic support level)
Joined: 12/03/2015
Posts: 6

Hi,

I'm using the secureblackbox HTTPS server component. The server itself works fine, but when i browse the site, I'm always getting the "untrusted connection" (identity unknown) page in firefox. When i check the certificate in the browser, it seems to be correct (issued by StartCom Ltd.).

I downloaded the pfx pkcs12 version of my certificate from StartCOM.

And I add it like this to the https server:
Code
            
TElMemoryCertStorage certStore = new TElMemoryCertStorage();

var cert = new TElX509Certificate();
cert.LoadFromFileAuto(certPath, certPass);
certStore.Add(cert);

_httpServer.CertStorage = certStore;


Some SSL online checker said that the chain is not complete - so the intermediate ca is missing.

How can I add the intermediate/root ca to my https server?

Thanks in advance,
Markus
#35653
Posted: 01/22/2016 11:11:25
by Eugene Mayevski (EldoS Corp.)

The TElX509Certificate.LoadFromStreamPFX method loads only the first certificate from the file. Please try to use certStore.LoadFromStreamPFX() to load all certificates from the PFX file.


Sincerely yours
Eugene Mayevski
#35654
Posted: 01/22/2016 11:22:47
by Markus  (Basic support level)
Joined: 12/03/2015
Posts: 6

Hi,
thanks for the fast reply.

Now I'm doing it like this:

Code
using (var stream = File.Open(certPath, FileMode.Open))
{
    certStore.LoadFromStreamPFX(stream, certPass);
}                    

But I still get the same error message.

Is it possible to also add the intermediat/root certs from https://startssl.com/root
to my cert store? (without combining my cert with the intermed. and root cert)
#35655
Posted: 01/22/2016 11:56:32
by Eugene Mayevski (EldoS Corp.)

How many certificates do you have in certStore after calling LoadFromStream? If it's 1, then your PFX just doesn't have intermediate certificates.

If you need to add certificates from some location, you can download that intermediate files and load them into TElX509Certificate and then add to certStore.


Sincerely yours
Eugene Mayevski
#35656
Posted: 01/22/2016 12:37:48
by Markus  (Basic support level)
Joined: 12/03/2015
Posts: 6

Is there any specific order in which i need to add the 3 certs? (root, intermediate, my)
#35657
Posted: 01/22/2016 12:58:06
by Eugene Mayevski (EldoS Corp.)

While there's no particular order required, we suggest everyone to use end-entity->ca->root order to let badly written parties handle such cases with more ease.


Sincerely yours
Eugene Mayevski
#35658
Posted: 01/22/2016 13:19:41
by Markus  (Basic support level)
Joined: 12/03/2015
Posts: 6

Hi,
with:
Code
certStore.LoadFromStreamPFX(stream, certPass);

my certStore has 3 certifictes, and they also seem to be in the right order.
Unfortunately, I've got the same "unknown issuer" message....

Any ideas?

I'Ve also tried it now with the https server sample => same error.

Thanks for your support
#35659
Posted: 01/22/2016 13:28:16
by Eugene Mayevski (EldoS Corp.)

The question is what Firefox complains about (you've provided two different error texts in your messages).

Does Firefox show the complete tree of certificates or some certificate(s) are missing?

As an option you can use HTTPGet sample in Samples\C#\HTTPBlackbox\Client directory to connect to your server, and inspect what certificates the client receives from the server and how they are validated. It's possible that the CA and/or root certificates just don't match the end-entity certificate (yes, mistakes can happen on the CA's web site as well).


Sincerely yours
Eugene Mayevski
#35660
Posted: 01/22/2016 13:52:32
by Markus  (Basic support level)
Joined: 12/03/2015
Posts: 6

Hi,

its just one error - the unknown issuer.

when I validate the cert with the HTTPGet example, I also get an error and the reason = 192.
which translates - i guess - to:

const short vrCAUnauthorized = 64;
const short vrCLRNotVerified = 128;
#35661
Posted: 01/22/2016 14:03:00
by Eugene Mayevski (EldoS Corp.)

The validator has OnAfterCertificateValidate event which will tell you what exact certificate fails with this or that error. So far it looks like the CRL is signed by the wrong certificate. But this can be not the only error. While errors can be tolerated when you use our Validator class, they obviously will fire up in browsers .

So the first step is to address the errors exposed by the validator, then move to the browser. We have The mini-faq on certificate validation here: https://www.eldos.com/security/articles/7545.php .


Sincerely yours
Eugene Mayevski
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 4217 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!