Why is RootCertificate null in HttpRequestCreator ValidatingCertificate event?

0 votes
asked Apr 1 by JeffBridges (120 points)

I've added a custom validator to the HttpRequestCreator ValidatingCertificate event. The event is called correctly, but the RootCertificate property of the CertificateChain in the SslCertificateValidationEventArgs is null.

The chain validates correctly despite the root certificate being null, but we would like to know the root certificate used in validation. The chain also doesn't contain the root certificate, just the intermediates and the certificate.

How can we have this RootCertificate property populated?

1 Answer

0 votes
answered Apr 1 by Lukas Pokorny (108,330 points)

The ValidatingCertificate even returns the certificate chain as received from the server. These usually lack the root certificate (due to the assumption that the client must already possess it anyway).

If you need to access the root certificate in your ValidatingCertificate event handler, just rebuild the chain, taking into account the CA certificates trusted by the local OS:

void Event_ValidatingCertificate(object sender, SslCertificateValidationEventArgs e)
{
    CertificateChain chain = CertificateEngine.Default.BuildChain(e.Certificate, e.CertificateChain);
    ...
}

The chain will have RootCertificate populated if the CA certificate is available locally.

Note: An equivalent process is performed during the validation of the root-less chain, which is the reason it validates correctly.

...