CertificateChainPolicy Class

Represents the trust policy for certificate validation.

Syntax

public class CertificateChainPolicy : System.Object

Remarks

The CertificateChainPolicy class is used to configure the trust policy for validating X.509 certificates. It allows you to specify how the certificate chain should be built and verified, including the trusted root certificates and the revocation checking behavior.

When performing certificate validation, the .NET Framework uses a default policy. You can customize this policy by creating an instance of CertificateChainPolicy and modifying its properties before passing it to the certificate validation methods.

Key properties include:

  • RevocationMode: Specifies how certificate revocation lists (CRLs) are checked.
  • ExtraStoreFlags: Provides additional flags to control the certificate store behavior.
  • TrustAnchors: A collection of trusted root certificates.

Properties

Name Description
ExtraStoreFlags Gets or sets flags that control the behavior of the certificate store.
RevocationMode Gets or sets a value that indicates whether certificate revocation checking is performed.
TrustAnchors Gets a collection of trusted X.509 certificates that are used to build the trust chain.

Inheritance Hierarchy

System.Object
    System.Net.Security.CertificateChainPolicy

Requirements

Type Version
Namespace System.Net.Security
Assembly System.Net.Primitives.dll
Note: Proper configuration of CertificateChainPolicy is crucial for secure network communication. Ensure that your revocation checking is enabled and that your trust anchors are correctly managed to prevent man-in-the-middle attacks.

Example

The following example demonstrates how to create a custom CertificateChainPolicy that disables revocation checking and specifies a custom trust anchor. 

using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public class Example
{
    public static void Main(string[] args)
    {
        // Create a custom certificate chain policy
        CertificateChainPolicy customPolicy = new CertificateChainPolicy();

        // Disable revocation checking for demonstration purposes (not recommended for production)
        customPolicy.RevocationMode = X509RevocationMode.NoCheck;

        // Load a custom trusted root certificate (replace with your actual certificate path)
        try
        {
            X509Certificate2 customRootCert = new X509Certificate2("path/to/your/custom_root.cer");
            customPolicy.TrustAnchors.Add(customRootCert);
        }
        catch (Exception ex)
        {
            Console.WriteLine($"Error loading custom root certificate: {ex.Message}");
            // Handle the error appropriately, maybe fall back to default policy
        }

        // You can now use this 'customPolicy' when validating certificates,
        // for example, with SslClientAuthenticationOptions.
        // Console.WriteLine("Custom certificate chain policy configured.");
    }
}