How do I manually trust a self-signed certificate embedded in my application?

Question

I am looking for some guidance here. I am embedding a self-signed SSL certificate in a simple application written in C#. I am reading the cert as bytes from the ExecutingAssembly stream and then adding it to the Store.Root of the Current User.

The next step is validating the entire CA chain and using a boolean as part of the VerifcationCallback delegate.

The problem is I don't think it is correct to be adding certs to the operating system. I am instead looking to manually trust the embedded cert instead of adding the cert to the computer's trusted certificates.

Application embedded cert versus adding certificates to the user's computer's certificates.

Any ideas on how to manually trust an embedded certificate in a C# application?

Updated: Per mike z I have updated my code and have this issue: the thumbprints of the Splunk cert and the X509Certificate2 object thumbprint do not match, don't know why.

public static bool CertificateVerificationCallback(System.Object o, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)

    {
        Cert = "~./Resources/splunk-VirtualBox.crt";
        Cert1 = X509Certificate.CreateFromCertFile(Cert);

        byte[] b = Cert1.GetRawCertData();

        X509Certificate2 Cert2 = new X509Certificate2();

        Cert2.Import(b);
        if (sslPolicyErrors == SslPolicyErrors.None)
        {
            return true;
        }
        else if (certificate is X509Certificate2 cert2)
        {
            c1 = cert2.Thumbprint;
            c2 = Cert2.Thumbprint;

            return cert2.Thumbprint == Cert2.Thumbprint;

        }

        return false;
    }
public static void Main(string[] args)
    {
        ServicePointManager.ServerCertificateValidationCallback += CertificateVerificationCallback;
        Console.WriteLine(string.Format("cert2 {0}, Cert2{1}", c1, c2));
    }

Short answer, I don't think you can. What are you using the Cert for? If you explain what you are trying to achieve, maybe someone can actually tell you how to achieve that without breaking the chain of trust in certificates. — Dijkgraaf
While you can set your own callback to handle certificate verification, I wonder why you still asked such a question. Do whatever you want when you can so obviously. — Lex Li

Mike Zboray Mike Zboray · Accepted Answer · 2018-06-01T01:40:47

You can programmatically accept a certificate using ServicePointManager.ServerCertificateValidationCallback:

ServicePointManager.ServerCertificateValidationCallback += (object o, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) =>
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        return true;
    }
    else if (cert is X509Certificate2 cert2)
    {
        return cert2.Thumbprint == CertThumbprint;
    }

    return false;
};

The key point is that .NET framework has already run the certificate checks and if SslPolicyErrors.None is returned then the cert is valid otherwise check if it has your cert's thumbprint. You could obviously check more info but that's the one that's usually checked for a specific certificate.

How do I manually trust a self-signed certificate embedded in my application?

1 Answers