PKI Tutorials - Herong's Tutorial Examples - Version 2.10, by Dr. Herong Yang
Test with CA Certificate Disabled
This section provides a tutorial example on testing .NET program on HTTPS communication with the root CA certificate disabled.
In this tutorial, I want to figure out if .NET does server certificate verification or not. If it does, from where it gets root CA certificates? My first guess is that .NET uses Windows certificate stores for root CA certificates.
1. Identify the root CA of login.yahoo.com - This can be done by using IE to view the certificate path on https://login.yahoo.com. See the IE chapter for detailed steps.
DigiCert High Assurance EV Root CA - The root CA certificate
|- DigiCert High Assurance CA-3 - An intermediate CA certificate
|- login.yahoo.com - The Web server certificate
2. Identify the root CA certificate in the certificate store - It is not that hard to identify the root CA certificate using certificate console as described in the previous chapter. Run certificate console, and I can see that the "DigiCert High Assurance EV Root CA" is in the certificate list in the "Trusted Root Certification Authorities" store.
3. Disable the root CA certificate in the certificate store - Run certificate console and disable "DigiCert High Assurance EV Root CA" as shown in previous tutorials.
4. Run the .NET test program again:
C:\herong>WebReader.exe https://login.yahoo.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org... <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in to Yahoo!</title> ...
The test program works with the root CA certificate disabled. This is not what I was expecting. Why? May be .NET is not verifying server certificate. Or may be .NET is using some other ways to verify server certificate. Read the next tutorial for answers.
Last update: 2011.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
Windows Certificate Stores and Console
►.NET Programs Communicating with HTTPS Servers
System.Net.Request Class for HTTPS
►Test with CA Certificate Disabled
Test with Second CA Certificate Disabled
.NET Program Failed with CA Certificates Deleted
.NET Reporting Certificate Validation Failed
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3