You must validate the certificate provided by the server that is attempting to establish its identity. To manually validate the server certificate, you must first get it. Use the QueryContextAttributesfunction and specify the SECPKG_ATTR_REMOTE_CERT_CONTEXT attribute value. This attribute returns a CERT_CONTEXTstructure containing the certificate supplied by the server. This certificate is called the leaf certificate because it is the last certificate in the certificate chain and is farthest away from the root certificate.

If the certificate chain has more than two certificates, the intermediate certificates may be located in the certificate store specified by the hCertStorefield of the CERT_CONTEXTstructure.

Using the leaf certificate you must verify the following information:

• The certificate chain is complete and the root is a certificate from a trusted certification authority (CA).
  
  
• The current time is not beyond the begin and end dates for each of the certificates in the certificate chain.
  
  
• The depth of the leaf certificate is not deeper than the maximum allowable depth specified in the certificate extension. This check is only necessary if there is a depth specified.
  
  
• The usage of the certificate is correct, for example, a client certificate should not be used to authenticate a server.
  
  
• For server authentication, the server identity contained in the server's leaf certificate matches the server that the client is attempting to contact. Typically, the client will match some item in the certificate's Subject Name field to the server's IP address or DNS name.
  
  

You can use CertGetCertificateChainto verify the first four items in the list above.

See Also