PKI Tutorials - Herong's Tutorial Examples - Version 2.04, by Dr. Herong Yang
Test with CA Certificate Disabled
This section provides a tutorial example on testing .NET program on HTTPS communication with the root CA certificate disabled.
In this tutorial, I want to figure out if .NET does server certificate verification or not. If it does, from where it gets root CA certificates? My first guess is that .NET uses Windows XP certificate stores for root CA certificates.
1. Identify the root CA of login.yahoo.com - This can be done by using IE to view the certificate path on https://login.yahoo.com. See the IE chapter for detailed steps.
DigiCert High Assurance EV Root CA - The root CA certificate |- DigiCert High Assurance CA-3 - An intermediate CA certificate |- login.yahoo.com - The Web server certificate
2. Identify the root CA certificate in the certificate store - It is not that hard to identify the root CA certificate using certificate console as described in the previous chapter. Run certificate console, and I can see that the "DigiCert High Assurance EV Root CA" is in the certificate list in the "Trusted Root Certification Authorities" store.
3. Disable the root CA certificate in the certificate store - Run certificate console and disable "DigiCert High Assurance EV Root CA" as shown in previous tutorials.
4. Run the .NET test program again:
C:\herong>WebReader.exe https://login.yahoo.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org... <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in to Yahoo!</title> ...
The test program works with the root CA certificate disabled. This is not what I was expecting. Why? May be .NET is not verifying server certificate. Or may be .NET is using some other ways to verify server certificate. Read the next tutorial for answers.
Last update: 2011.
Table of Contents