Using intermediate certificates with SslStream and X509Certificate2 in a server application

Question

Using intermediate certificates with SslStream and X509Certificate2 in a server application

I am working on a .Net server application that uses SslStream to expose its SSL sockets. It works with some clients (like libcurl based), but other clients are throwing errors due to missing intermediate certificates. How do I associate an intermediate certificate with an SslStream or X509Certificate2 object to make those clients happy?

Here is the code I am using now when I accept the connection:

X509Certificate2 cert = new X509Certificate2("cert.pfx", "");
theSslStream.BeginAuthenticateAsServer(cert, ...);

If I were using OpenSSL I would do it with SSL_CTX_add_extra_chain_cert()

. I looked at the X509Chain object but can't see how to insert it.

Thank.

+2

c # .net ssl ssl-certificate sslstream

Adam preble 15 oct. At 10:55 pm

source to share

2 answers

Including intermediate certificates in the .pfx file is the solution. You can check that all the correct intermediate certificates are installed at http://www.sslshopper.com/ssl-checker.html

+1

Robert 19 oct. '09 at 12:37

source to share

nitzmahone · Accepted Answer · 2009-10-15T23:27:38+0000

Have you tried including the full chaining in the pfx you are using (like using OpenSSL to wire them all)? I haven't tried this specifically with SSLStream, but WCF doesn't provide an explicit way to include intermediate certificates - it just presents the complete chain automatically if intermediate certificates are available in the .pfx source.

Using intermediate certificates with SslStream and X509Certificate2 in a server application

More articles: