I need to validate a leaf certificate using a root certificate that is not stored in the Trusted Root CA store. This works perfectly fine using X509Chain with the X509ChainPolicy.RevocationMode set to X509RevocationMode.NoCheck and the X509ChainPolicy.VerificationFlags set to include the flag X509VerificationFlags.AllowUnknownCertificateAuthority. I provide my root certificate to the X509Chain by using X509Chain.ChainPolicy.ExtraStore.
There becomes an issue when I want to check the revocation status of the leaf certificate. The leaf certificate provides the CRL distribution point, but when using X509RevocationMode.Online, I get these statuses: X509ChainStatusFlags.RevocationStatusUnknown and X509ChainStatusFlags.OfflineRevocation.
If I install the root into the Trusted Root CA store, the revocation check works just fine. As mentioned however, my application will not be installing these into the cert store.
Here's how I am attempting to do this currently:
Dim certChain As New X509Chain
certChain.ChainPolicy.RevocationMode = X509RevocationMode.Online
certChain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly
certChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority Or X509VerificationFlags.IgnoreNotTimeValid
certChain.ChainPolicy.ExtraStore.Add(rootCertificate)
Dim blnValid As Boolean = certChain.Build(certificate)
Any help is appreciated.
This isn't possible prior to .NET 5.
.NET 5 introduced custom root trust to X509Chain which supports this, you'd add
certChain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
certChain.ChainPolicy.CustomTrustStore.Add(rootCert);
which then replaces the root trust list for that chain with the specified certificate(s).
But the system will not download, or process from the cache, revocation from an untrusted authority. Your only options with older .NET are