How to implement certificate chains? What is the importance/operation?

Asked

Viewed 187 times

4

I created a local application in VS and when climbing the server the application was not with all the resources of the local application, in the application I am using X.509 and found a difference when listing the CA:

//X509Store store = new X509Store("My");
    X509Store store = new X509Store("CA");

inserir a descrição da imagem aqui when I started looking for differences, I vii that the chains of the certificates that would be used in the application were not on the server and when trying to talk to the staff of the administration of that server they did not know explain to me nor give me a solution to the problem.

Has anyone ever worked with server with certificate chains (ICP)? what was the best solution?

http://loja.certificadodigital.com.br/Serasa/UPLOAD/Downloads/520.pdf1

https://serasa.certificadodigital.com.br/instalacao/cadeia-de-certificados/

http://www.iti.gov.br/icp-brasil/certificados/188-atualizacao/4530-ac-raiz

  • The certificate you used at the local installation, was it created by yourself or not? Was it signed by a Certification Authority (CA), self-signed, or neither? Finally, is your application accessible through a browser? I don’t know the details of the architecture you are using, but in general to use a certificate that the browser accepts you need it to be signed by a CA recognized by the same (detail: ICP-Brasil is not) and that both your certificate and CA certificates are present (these commodities you download from CA itself).

  • What I wrote above is only valid for certificates used in the identification of a website (https). If the purpose of these certificates is different (example: sign digital documents such as tax notes), disregard. I can give you an answer explaining in general lines the certification chain, but I would like you to give more details of how you are using certificates in your system, for what, and what error you are getting. So maybe I can even propose a practical solution to your case.

  • The certificate used locally is from ICP, in my case I used Serasa’s because I have a smart card belonging to Serrasa. I basically typed in google certificate chain Icp, and installed on the machine, is by the browser that accesses the application. The purpose of the application would be signature.

  • No error appears, the system on the server does not read the smart card I believe it is for lack of the chain of certificates, when adding this chain will not influence https? What’s the difference?

  • 1

    Reading the certificates in the Smart Card is done by a client application, usually installed as a browser plugin. In fact, there is a tool installed with the plugin that allows you to extract all certificates from the chain.

  • @Eduardo Forget what I said, https is one thing, digital signature is another (one won’t interfere with the other, because the certificates used are different). I’m on mobile now (no internet on the computer) but as soon as I explain better. Just to clarify: ICP is the same as PKI in English, ICP-Brazil is a government body responsible for the national ICP, and Serasa in this case would be acting as Registrar Authority (RA) subordinate to the ICP-Brazil (the CA). The certification chain is therefore ICP-Brazil -> Serasa -> you.

  • Thank you @mgibsonbr.

Show 2 more comments
No answers

Browser other questions tagged

You are not signed in. Login or sign up in order to post.