Specifies flags that control the trust of a certificate.
System.Net.Security
System.Net.Primitives.dll (in .NET Core and .NET 5+) or System.dll (in .NET Framework)
[Flags]
public enum CertificateTrustFlags {
None = 0,
IsRoot = 1,
IsIntermediate = 2,
IsLeaf = 4,
Untrusted = 8,
Revoked = 16,
Expired = 32,
SelfSigned = 64,
Unknown = 128
}| Member | Description |
|---|---|
None |
No specific trust flags are set. |
IsRoot |
Indicates that the certificate is a root certificate in a trust chain. |
IsIntermediate |
Indicates that the certificate is an intermediate certificate in a trust chain. |
IsLeaf |
Indicates that the certificate is a leaf (end-entity) certificate. |
Untrusted |
Indicates that the certificate is not trusted by the system. |
Revoked |
Indicates that the certificate has been revoked. |
Expired |
Indicates that the certificate has expired. |
SelfSigned |
Indicates that the certificate is self-signed. |
Unknown |
Indicates that the trust status of the certificate is unknown. |
The CertificateTrustFlags enumeration is used to represent various states of trust associated with an X.509 certificate. These flags can be combined using the bitwise OR operator (|) to represent multiple conditions simultaneously. For example, a self-signed root certificate might be represented as IsRoot | SelfSigned.
This enumeration is particularly useful when examining the properties of a certificate obtained through network communication or from a certificate store, allowing developers to make informed decisions about whether to trust and use the certificate.
The following code example demonstrates how to check specific trust flags on a certificate.
using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class CertificateChecker {
public static void Main(string[] args) {
// Assume 'certificate' is an X509Certificate2 object obtained elsewhere.
// For demonstration, let's create a dummy one.
var certificate = new X509Certificate2("path/to/your/certificate.cer");
// In a real scenario, you would get CertificateTrustFlags from
// methods like X509Chain.Build(certificate).ChainElements[0].TrustAnchors[0].TrustedStatus,
// or by inspecting certificate properties directly.
// For simplicity, let's manually set some hypothetical flags for the example.
CertificateTrustFlags trustFlags = CertificateTrustFlags.IsIntermediate | CertificateTrustFlags.Untrusted;
Console.WriteLine($"Certificate Trust Status:");
if ((trustFlags & CertificateTrustFlags.IsRoot) == CertificateTrustFlags.IsRoot) {
Console.WriteLine("- Is a Root Certificate");
}
if ((trustFlags & CertificateTrustFlags.IsIntermediate) == CertificateTrustFlags.IsIntermediate) {
Console.WriteLine("- Is an Intermediate Certificate");
}
if ((trustFlags & CertificateTrustFlags.IsLeaf) == CertificateTrustFlags.IsLeaf) {
Console.WriteLine("- Is a Leaf Certificate");
}
if ((trustFlags & CertificateTrustFlags.Untrusted) == CertificateTrustFlags.Untrusted) {
Console.WriteLine("- Is Untrusted");
}
if ((trustFlags & CertificateTrustFlags.Revoked) == CertificateTrustFlags.Revoked) {
Console.WriteLine("- Has been Revoked");
}
if ((trustFlags & CertificateTrustFlags.Expired) == CertificateTrustFlags.Expired) {
Console.WriteLine("- Has Expired");
}
if ((trustFlags & CertificateTrustFlags.SelfSigned) == CertificateTrustFlags.SelfSigned) {
Console.WriteLine("- Is Self-Signed");
}
if (trustFlags == CertificateTrustFlags.None) {
Console.WriteLine("- Trust status is None (fully trusted)");
}
}
}
Note: In a real application, obtaining and interpreting certificate trust status often involves using the X509Chain class to build a certificate chain and examine the X509ChainStatusFlags associated with each element.