Hi, I have trouble creating a certificate chain. I'm trying to create x509chain of signed certificate and CA of my AWS Private Certificate Authority.
So I have this code:
private async Task<X509Certificate2?> RequestSign(byte[] csr)
{
var issueCertificateRequest = new IssueCertificateRequest
{
CertificateAuthorityArn = _arn,
Csr = new MemoryStream(csr),
SigningAlgorithm = SigningAlgorithm.SHA256WITHECDSA,
Validity = new Validity
{
Type = ValidityPeriodType.DAYS,
Value = 365
}
};
var issueCertificateResponse = await _client.IssueCertificateAsync(issueCertificateRequest);
if (issueCertificateResponse == null || issueCertificateResponse.HttpStatusCode != System.Net.HttpStatusCode.OK)
{
return null;
}
var request = new GetCertificateRequest()
{
CertificateArn = issueCertificateResponse.CertificateArn,
CertificateAuthorityArn = _arn,
};
var response = await _client.GetCertificateAsync(request);
if (response == null || response.HttpStatusCode != System.Net.HttpStatusCode.OK)
{
return null;
}
return X509Certificate2.CreateFromPem(response.Certificate);
}
This function signs certificate using ARN of IssueCertificateRequest and creates X509Certificate2 certificate.
Also I export CA certificate using CertificateChain fields from response and it's a public key of CA certificate.
Then I try to build chain:
using (X509Chain x509Chain = new X509Chain())
{
foreach (X509Certificate2 additionalCertificate in Chains())
{
x509Chain.ChainPolicy.ExtraStore.Add(additionalCertificate);
}
x509Chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
x509Chain.ChainPolicy.DisableCertificateDownloads = false;
var t = x509Chain.Build(LoadLeathWithPrivateKey());
Console.WriteLine($"Chain Elements Count: {x509Chain.ChainElements.Count}");
}
And this x509Chain contains only 1 certificate but It has to contain 2. So it looks like public CA (that which was exported from response.CertificateChain didn't sign my certificate. How can I resolve this issue ?