Do we need root certificate installed on the machine always?

Question

I am using smart card to authenticate the user. I have a authentication service (SecurityTokenService) which handles the authentication logic on the server.

I am using X509Certificate2.Verify() to validate the certificate. Since this API can check if the certificate is valid/revoked by going online and contacting Certification Authority (CA), do I need root certificate on the server?

Can we avoid having root certificate on our local computer? Or root certificate is always mandatory?

Answer 1

I tried a few things and here are the observations:

1. First of all X509Certificate2.Verify() does not check if all the certificates in chain are revoked. From this post I came to know that Verify method internally uses Crypt32 CertVerifyCertificateChainPolicy function. The documentation for it says that it does not perform certificate revocation checking. In short, the Verify method just checks if the certificate for which it's called, is revoked or not.

2. Regarding root certificate :

   • If you are using X509Certificate2.Verify() and root cert is absent, then the method will outrightly return false. So with this method root certificate is absolutely required.
   • If you are using X509Chain to build the trust chain, then you can decide whether to exclude root certificate revocation or whether to go online/offline to verify revocation status of the certificates.
   • However, whether you go online or not, or you exclude root certificate or not, you get the PartialChain value in the ChainStatus if the root certificate is missing. So to build the full trust chain, you need a root certificate on your machine.

Hope this helps someone who wants to know a little more about certificate validation in C#.