System.Net.Security.ChainValidationFlags Enum

Namespace: System.Net.Security

Specifies flags that control the behavior of certificate chain validation. This enumeration is used with the X509Certificate2.Verify(X509ChainPolicy) method to customize the validation process.


public enum ChainValidationFlags

Members

Member	Description	Value
`None`	No special flags are set. Standard certificate chain validation is performed.	0
`RevocationCheckingEnabled`	Enables revocation checking for certificates in the chain. This includes checking Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses.	1
`AllowUnknownCertificateAuthority`	Allows the validation to succeed even if the certificate authority (CA) is not explicitly trusted by the system's trust store. This is generally not recommended for production environments.	2
`DisablePeerVerification`	Disables verification of the certificate's identity against the peer's identity. This can be useful in scenarios where the certificate is self-signed or the identity is managed out-of-band.	4
`UseOnlineRevocationChecking`	Specifies that online revocation checking (e.g., OCSP) should be used. If this flag is not set and `RevocationCheckingEnabled` is set, CRL checking might be prioritized.	8
`IgnoreEndDate`	Ignores the end date of the certificate. The certificate will be considered valid regardless of whether its validity period has expired. Use with extreme caution.	16
`IgnoreStartDate`	Ignores the start date of the certificate. The certificate will be considered valid regardless of whether its validity period has begun. Use with extreme caution.	32

Remarks

The ChainValidationFlags enumeration provides a granular way to control how certificate chains are validated. By default, certificate chain validation includes checking for trust, validity period, and revocation status. These flags allow you to override or augment these default behaviors based on specific application requirements.

It is important to understand the security implications of using these flags. For instance, disabling peer verification or allowing unknown certificate authorities can significantly weaken the security of your application. Always use these options judiciously and with a clear understanding of the risks involved.

Example

The following C# code demonstrates how to set custom validation flags for an X509ChainPolicy:

            
using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public class CertificateValidationExample
{
    public static void Main(string[] args)
    {
        X509ChainPolicy policy = new X509ChainPolicy();

        // Enable revocation checking and ignore the end date for this specific validation.
        policy.VerificationFlags = X509VerificationFlags.RevocationCheckingEnabled |
                                   X509VerificationFlags.IgnoreEndDate;

        // You can also set other properties like UrlRetrievalTimeout, etc.
        policy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0); // 1 minute timeout

        // Assume 'certificate' is an X509Certificate2 object you want to validate.
        // X509Certificate2 certificate = ...;
        // X509Chain chain = new X509Chain();
        // chain.ChainPolicy = policy;
        // bool isValid = chain.Build(certificate);

        // Console.WriteLine($"Certificate is valid: {isValid}");
        // Console.WriteLine($"Validation errors: {chain.ChainStatus.Length}");
        // foreach (X509ChainStatus status in chain.ChainStatus)
        // {
        //     Console.WriteLine($"- {status.StatusInformation}");
        // }
    }
}
            
        

In this example, the certificate chain validation will:

Perform revocation checking.
Ignore the end date of the certificates in the chain.
Have a 1-minute timeout for URL retrieval during revocation checks.

System.Net.Security.ChainValidationFlags Enum

Members

Remarks

Example

Related Topics