X509ChainPolicy Class

MSDN Library > System > System.Net > System.Net.Security > X509ChainPolicy

Namespace: System.Net.Security

Provides a set of properties that control the validation of an X.509 certificate chain.

Overview

The X509ChainPolicy class allows you to configure how the .NET Framework validates X.509 certificate chains. This is crucial for ensuring the authenticity and trustworthiness of digital certificates used in secure communication protocols like SSL/TLS.

You can use this class to define custom policies such as:

  • Specifying the trusted root certificate authorities.
  • Setting revocation checking options.
  • Defining application-specific policy requirements.
  • Controlling the behavior of certificate chain building.
This class is often used in conjunction with the X509Chain class to perform detailed certificate validation.

Syntax

🔷 Visual Basic 
Public Class X509ChainPolicy
    Inherits Object
🔷 C# 
public class X509ChainPolicy : Object
🔷 C++ 
public ref class X509ChainPolicy : public Object
🔷 F# 
type X509ChainPolicy = class
    inherit Object

Members

  • Constructors

    X509ChainPolicy() public X509ChainPolicy()
    Initializes a new instance of the X509ChainPolicy class.

  • Properties

    CertificatePolicy public X509CertificatePolicy CertificatePolicy { get; set; }
    Gets or sets the certificate policy for the chain policy.
  • CredibilityFlags public X509RevocationFlag CredibilityFlags { get; set; }
    Gets or sets the revocation checking flag for the chain policy.
  • ExtraUSage public OidCollection ExtraUSage { get; }
    Gets a collection of OIDs that represent the extended key usage values that must be present in a certificate for it to be trusted.
  • IssuerChainFlags public X509RevocationFlag IssuerChainFlags { get; set; }
    Gets or sets the revocation checking flag for the issuer chain.
  • UrlRetrievalTimeout public TimeSpan UrlRetrievalTimeout { get; set; }
    Gets or sets the time-out value for retrieving URLs specified in certificates.
  • VerificationFlags public X509VerificationFlags VerificationFlags { get; set; }
    Gets or sets the verification flags for the chain policy.
  • VerificationTime public DateTime VerificationTime { get; set; }
    Gets or sets the time at which the certificate chain is verified.

  • Methods

    Reset() public void Reset()
    Resets the chain policy to its default values.

Remarks

The X509ChainPolicy class provides a flexible way to configure the validation of X.509 certificates. By adjusting its properties, developers can enforce specific security requirements for their applications.

For example, you can use VerificationFlags to enable or disable specific certificate checks, such as:

  • X509VerificationFlags.AllowUnknownCertificateAuthority: Allows certificates issued by untrusted CAs.
  • X509VerificationFlags.NoCheckDate: Disables date checking.
  • X509VerificationFlags.RevocationCheckingEnabled: Enables revocation checking.

The UrlRetrievalTimeout property is important for controlling how long the system will wait for revocation information to be downloaded from URLs specified in the certificate.

Properly configuring certificate validation is essential for preventing man-in-the-middle attacks and ensuring the integrity of your applications.

Examples

⭐ C# Example: Customizing Certificate Chain Policy 
using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public class CertificateValidationExample
{
    public static void Main(string[] args)
    {
        // Assume 'certificate' is an X509Certificate2 object you want to validate
        X509Certificate2 certificate = GetYourCertificate(); // Replace with actual certificate retrieval

        X509Chain chain = new X509Chain();
        X509ChainPolicy policy = new X509ChainPolicy();

        // Configure the policy:
        // 1. Enable revocation checking.
        policy.VerificationFlags = X509VerificationFlags.RevocationCheckingEnabled;

        // 2. Set a timeout for URL retrieval (e.g., 10 seconds).
        policy.UrlRetrievalTimeout = new TimeSpan(0, 0, 10);

        // 3. Trust only specific root CAs (optional, if you have a custom trust store).
        // policy.TrustAnchors.Add(new X509TrustedPeerKeyIdentifier(...) );

        // Apply the policy to the chain object
        chain.ChainPolicy = policy;

        // Build the chain and check for errors
        bool isValid = chain.Build(certificate);

        if (isValid)
        {
            Console.WriteLine("Certificate chain validation succeeded.");
        }
        else
        {
            Console.WriteLine("Certificate chain validation failed.");
            foreach (X509ChainStatus status in chain.ChainStatus)
            {
                Console.WriteLine($"- {status.StatusInformation}");
            }
        }
    }

    // Placeholder for certificate retrieval
    private static X509Certificate2 GetYourCertificate()
    {
        // In a real application, you would load a certificate from a file, store, or network stream.
        // For demonstration purposes, returning null or a dummy certificate.
        Console.WriteLine("Please replace 'GetYourCertificate()' with actual certificate loading logic.");
        return null; // Or throw an exception if no certificate is available
    }
}

Inheritance Hierarchy

System.Object
    System.Net.Security.X509ChainPolicy

Implements

This class does not implement any interfaces.

See Also