Important: |
---|
This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
You must validate the certificate provided by the server that is attempting to establish its identity. To manually validate the server certificate, you must first get it. Use the QueryContextAttributesfunction and specify the SECPKG_ATTR_REMOTE_CERT_CONTEXT attribute value. This attribute returns a CERT_CONTEXTstructure containing the certificate supplied by the server. This certificate is called the leaf certificate because it is the last certificate in the certificate chain and is farthest away from the root certificate.
If the certificate chain has more than two certificates, the intermediate certificates may be located in the certificate store specified by the hCertStorefield of the CERT_CONTEXTstructure.
Using the leaf certificate you must verify the following information:
- The certificate chain is complete and the root is a certificate
from a trusted certification authority (CA).
- The current time is not beyond the begin and end dates for each
of the certificates in the certificate chain.
- The depth of the leaf certificate is not deeper than the
maximum allowable depth specified in the certificate extension.
This check is only necessary if there is a depth specified.
- The usage of the certificate is correct, for example, a client
certificate should not be used to authenticate a server.
- For server authentication, the server identity contained in the
server's leaf certificate matches the server that the client is
attempting to contact. Typically, the client will match some item
in the certificate's Subject Name field to the server's IP address
or DNS name.
You can use CertGetCertificateChainto verify the first four items in the list above.