Validate certificate

15 Feb 2007 5:35 PM

Cris

Hi,
First of all, i must tell you I'm so newbie in this fields. I've some
knowledge, but it's not so much.

I have a SOA architecture in .net 2.0, i have a frontend made in PHP. The
users access to frontend using a smartcard that has a certificate x509v3. The
frontend read this and send to my app through my WS in a soapheader. I read
the certificate without any problem.

Now the question is the CA for this certificate is installed in other
machine but in the same network. the CA publish the CRL and i can access to
it, so i have the certificate, the url where CRL is published, but how can i
validate that the certificate is not revoked? I had look for a solution for a
long time but i didn't find one.

Any example? url? code? orientation? or help?

Thanks in advance and sorry my english.

16 Feb 2007 9:44 AM

Dominick Baier

if you look at the certificate you will find a CDP field (CRL distribution
point) - if you are using the .NET APIs like SignedData.VerifySignature or
X509Chain the check the CRL by default...

Have a look here:
http://msdn.microsoft.com/msdnmag/issues/07/03/NETSecurity/default.aspx

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Show quoteHide quote

> Hi,
> First of all, i must tell you I'm so newbie in this fields. I've some
> knowledge, but it's not so much.
> I have a SOA architecture in .net 2.0, i have a frontend made in PHP.
> The users access to frontend using a smartcard that has a certificate
> x509v3. The frontend read this and send to my app through my WS in a
> soapheader. I read the certificate without any problem.
>
> Now the question is the CA for this certificate is installed in other
> machine but in the same network. the CA publish the CRL and i can
> access to it, so i have the certificate, the url where CRL is
> published, but how can i validate that the certificate is not revoked?
> I had look for a solution for a long time but i didn't find one.
>
> Any example? url? code? orientation? or help?
>
> Thanks in advance and sorry my english.
>

16 Feb 2007 2:10 PM

Cris

Thanks a lot.
this morning (in Spain) after a lot of test, querys to msdn and a big
headache, we got the conclusion comment in this (future is from March'07)
article thow X509Chain.

I wonder why there is so few information and examples about that.

Show quoteHide quote

"Dominick Baier" wrote:

> if you look at the certificate you will find a CDP field (CRL distribution
> point) - if you are using the .NET APIs like SignedData.VerifySignature or
> X509Chain the check the CRL by default...
>
> Have a look here:
> http://msdn.microsoft.com/msdnmag/issues/07/03/NETSecurity/default.aspx
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
>
> > Hi,
> > First of all, i must tell you I'm so newbie in this fields. I've some
> > knowledge, but it's not so much.
> > I have a SOA architecture in .net 2.0, i have a frontend made in PHP.
> > The users access to frontend using a smartcard that has a certificate
> > x509v3. The frontend read this and send to my app through my WS in a
> > soapheader. I read the certificate without any problem.
> >
> > Now the question is the CA for this certificate is installed in other
> > machine but in the same network. the CA publish the CRL and i can
> > access to it, so i have the certificate, the url where CRL is
> > published, but how can i validate that the certificate is not revoked?
> > I had look for a solution for a long time but i didn't find one.
> >
> > Any example? url? code? orientation? or help?
> >
> > Thanks in advance and sorry my english.
> >
>
>
>