Why is my certificate not valid unless I put the Sub CA certificate in the trusted root certificate authorities?

2
votes

I have a certificate issued to me from a Sub CA with the following certification path:

Root CA
   Sub CA
      My Certificate

Why is it that when I try to validate it with X509Chain.Build(), I always need to have the Sub CA in my trusted root certificate authorities folder for it to return true? I have the root CA certificate in there already, so since I trust the root, being a web of trust, should it not also trust the sub CA? Because right now, it says that it could not build the chain to a trusted root certificate authority unless I add the Sub CA certificate to my trusted root certificate authorities.

1
c#.netx509certificatex509x509certificate2
When trying to build the chain, where do you read the certificate from? If you read it from file, is the intermediate (Sub) CA also present in the file? If not, how can .NET know anything about it?Erik A. Brandstadmoen
@ErikA.Brandstadmoen - I read it from the local computer's certificate store. The sub-CA is not also present in the file. How would I go about including the sub-CA certificate with the end-user certificate issued to me by the sub-CA?Alexandru
If you have the end-user certificate in the cert store, the sub CA needs to be in the cert store too, as gtrig writes in the answer below. It doesn't, however, need to be in the Trusted ROot CAs list.Erik A. Brandstadmoen
Yes, no problem. A .pfx of .cer (or .p7b or whatever) file may include a whole certificate chain. So, if you have the certificate in a file, you may have the whole certificate chain in the file. But, if Windows is going to validate the certificate, it needs to have access to all certificates. And if you read the certificate from the certificate store, you have nowhere else to store the issuers than the certificate store, as in the answer below.Erik A. Brandstadmoen
Yes, when you read the end-user cert from the cert store, all certs in the chain need to be in the cert store. I see no reason to discuss this in chat, if we do, no one else but you will benefit from the discussion. There might be other people with the same problem, you know. :)Erik A. Brandstadmoen

1 Answers

3
votes

To elaborate on Erik's comment, trusting the Root CA certificate means that you will trust what the Root CA directly signs.

If you have an intermediate Sub CA in the middle, its certificate is signed by the Root CA, and the Sub CA signs your certificate directly.

Root CA ---signs/verifies---> Sub CA ---signs/verifies---> End user certificate

As Erik said, if you do not have the Sub CA certificate present, then there is no way to link the Root CA to the End user certificate. The Root can verify the Sub CA certificate, and the Sub CA can verify the End user certificate, but there is no way for the Root to skip over the Sub CA and verify the End user certificate because the root did not sign the End user certificate.

2 ways to resolve this are:

  • include the Sub CA cert in your trusted certificates OR
  • make sure the Sub CA cert is included with the end user certificate so a chain can be established.