News  [SoftwareSite

Latest News
Older News
RSS Feed
 
Complete Projects
Useful Classes
Top Downloads
Message Board
AllAPI.net
 
Send Comments
Software License
Mentalis.org Buttons
Donate
 
Forums -> Security Library Forum
 
verisign issued cert comes up as untrusted root  
by dan trubow
posted on 2004/02/06

This is really a continuation of a previous post about 'seemingly valid certificate comes up as expired'.

I found in that case it was necessary to remove an invalid Verisign certicate on the client computer and install an unexpired Verisign Intermediate certificate.

Now, using the leaf certificate pasted in Base64 below, I get an Untrusted Root returned from VerifyChain. Since VerifyChain calls a Microsoft SSPI function, I'm stumped on how to troubleshoot this.

Any suggestions?

The cert, from xml.fastdataweb.com is:

-----BEGIN CERTIFICATE-----
MIIEEzCCA3ygAwIBAgIQKZTAk7OMLrbIlfNCWjg6MTANBgkqhkiG9w0BAQQFADCB
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
MzAyMjcwMDAwMDBaFw0wNDAyMjcyMzU5NTlaMIG6MQswCQYDVQQGEwJVUzERMA8G
A1UECBMITmVicmFza2ExDjAMBgNVBAcUBU9tYWhhMR0wGwYDVQQKFBRGaXJzdCBE
YXRhIFNvbHV0aW9uczEVMBMGA1UECxQMZmRzcHJkd2ViMmszMTMwMQYDVQQLFCpU
ZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDAxHTAbBgNV
BAMUFHdlYjMuZmFzdGRhdGF3ZWIuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDeHUlifnjcb72hCm+hgr9UOZgAFvWDW1DJlcLB9crMu4Iet2Dz5irZMSUI
VhNrr4PhLeDJLQI+HesOpnjBGThXIWWorqjCQ71WspQOhZBZsWoWjRUgNv1jLeL1
uoY0c1yqOcrI4Babdb/aH8IFc4uFZW7Xrqg77iuMJPQMStPWcwIDAQABo4IBFjCC
ARIwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0
cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25hbFNlcnZlci5j
cmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRw
czovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1UdJQQtMCsGCWCGSAGG+EIEAQYK
KwYBBAGCNwoDAwYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMA0GCSqGSIb3DQEB
BAUAA4GBANWoPb56BccW++aooYfgu4xo+F+Wt+VvvSLFZj1yH24m8Jn6jKWBtXWR
SCk4dhtyqCsIhV5csPU8/NOhK7f5tsR9AI7e74YuNIdxdz1ohUh4oalUK9OLK3BR
lMINsRyhuiQFHwi10mD0rmqTYUuzNpbaM/jnI51RUz1eRud0YBSz
-----END CERTIFICATE-----

by dan trubow
posted on 2004/02/09

Ok, this problem has been solved.

It turns out the secure socket client being used is running under the SYTEM account because it's set up as a Windows Service.

When I installed the Verisign Intermediate Certificate (see the referenced topic above), on the client machine, I installed it under my User account. It should have been installed under the SYSTEM or computer account. To do this I used the MMC and added the Certificates snap-in module. From there chose the Computer account and then imported the certificate.

After installing properly, the cert above passed all tests.

So this was confusing because I didn't realize the client computer needs to have the root certificates installed, and installed in the right accounts. Otherwise it won't pass verification. Somehow this seems to be not right.

by Pieter Philippaerts [Pieter at mentalis dot org]
posted on 2004/03/06

> So this was confusing because I didn't realize the
> client computer needs to have the root certificates
> installed, and installed in the right accounts.
> Otherwise it won't pass verification.

This behavior is the very heart of any PKI system; it's the reason why they're secure. The idea is that any user can choose which Certificate Authorities (s)he trusts, and only certificates issued by these CAs will be validated correctly. The root certificate from a certificate chain should always be installed beforehand.

 

Copyright © 2002-2007, The Mentalis.org Team. All rights reserved.
This site is located at http://www.mentalis.org/
Send comments to the webmaster.