I am struggling with the apparent lack of flexibility in SslStream AuthenticateAsServer. I have a self-signed rootCA, an intermediate CA, and a target (host) certificate. I only perform server authentication. The client has a rootCA certificate, and I'm trying to somehow send the entire chain from the server to the client so that the client can check the server, and I can further compare the anchor rootCA trust prints with the ones included in the client.
Ideally, I would like to avoid using a certificate store and explicitly send certificates. If someone knows how to do this, this is the best solution to my problem.
But it seems that SslStream AuthenticateAsServer will not be in any documented way, allowing you to explicitly specify the chain to send. You just have to send the bottom certificate and let it dig the rest of it from the certificate store. This is less than ideal, but it seems that this is the only option, so I try so hard. Currently, the problem is that (with a self-signed CA in trusted root certification authorities and an intermediate in intermediate root certification authorities on the server), only the client certificate and the intermediate certificate are "automatically" sent to the client. I only get two certificates on the client, not a rootCA certificate. Why?
Is there an AsServer authentication method with a certificate chain?
If not, is it that it cuts the root certificate from the top of the chain before sending?
If there are no answers to the above, is there at least a way to bypass (auto) magic that digs the rest of the chain from the store, where can I look at the result, and not go through AuthenticateAsServer to the CertValidationCallback client? At least in this way I would debug one black box, and not a row of several black boxes.
source share