Hi Pete, Thank you for your response. The server I try to access is a local server with a certificate chain of three certificates. When I access the server using a browser, I can view the chain with a root CA, a technical CA inbetween and the server certificate itself. For some reason I don't receive them when using the TlsProtocolHandler class. At this moment I don't know if the server returns all certificates and if not why that happens.
For SSL Pinning I want to receive the root CA from the server to be able to guarantee that it is indeed the correct root CA. Regards, Edwin. On Thu, Jul 18, 2013 at 3:44 AM, Peter Dettman < [email protected]> wrote: > Hi Edwin, > NotifyServerCertificate simply passes through the certificate chain sent > by the server, details of which you didn't provide. So if there is only one > certificate in the chain, only one was sent by the server. > > This comment from RFC 2246 may help to explain why: > > certificate_list > This is a sequence (chain) of X.509v3 certificates. The sender's > certificate must come first in the list. Each following > certificate must directly certify the one preceding it. Because > certificate validation requires that root keys be distributed > independently, the self-signed certificate which specifies the > root certificate authority may optionally be omitted from the > chain, under the assumption that the remote end must already > possess it in order to validate it in any case. > > > Regards, > Pete Dettman > > On 16/07/2013 5:17 PM, Edwin Van Schaick wrote: > >> Hello, >> >> I am currently implementing a TLS client to perform custom certificate >> validation of the root certificate to do SSL Pinning. I’ve created a >> class, that inherits from DefaultTlsClient. In the GetAuthentication >> method I supply another class, that implements the TlsAuthentication >> interface. >> >> However, in the NotifyServerCertificate method the serverCertificate >> parameter seems to have only one certificate in the certs member, >> while I would expect all certificates in the chain, including the Root >> CA certificate I want to verify. How can I access the Root CA >> certificate from the chain? >> >> The implementation is done for Windows Phone 7 & 8. >> >> Best regards, >> >> Edwin. >> > > >
