Manually Validating Schannel Credentials (Windows Embedded CE 6.0)
1/6/2010
You must validate the certificate provided by the server that is attempting to establish its identity. To manually validate the server certificate, you must first get it. Use the QueryContextAttributes function and specify the SECPKG_ATTR_REMOTE_CERT_CONTEXT attribute value. This attribute returns a CERT_CONTEXT structure containing the certificate supplied by the server. This certificate is called the leaf certificate because it is the last certificate in the certificate chain and is farthest away from the root certificate.
If the certificate chain has more than two certificates, the intermediate certificates may be located in the certificate store specified by the hCertStore field of the CERT_CONTEXT structure.
Using the leaf certificate you must verify the following information:
- The certificate chain is complete and the root is a certificate from a trusted certification authority (CA).
- The current time is not beyond the begin and end dates for each of the certificates in the certificate chain.
- The depth of the leaf certificate is not deeper than the maximum allowable depth specified in the certificate extension. This check is only necessary if there is a depth specified.
- The usage of the certificate is correct, for example, a client certificate should not be used to authenticate a server.
- For server authentication, the server identity contained in the server's leaf certificate matches the server that the client is attempting to contact. Typically, the client will match some item in the certificate's Subject Name field to the server's IP address or DNS name.
You can use CertGetCertificateChain to verify the first four items in the list above.
See Also
Reference
Authentication Services Reference
Concepts
Schannel Security Support Provider
Security Support Provider Interface Architecture
Security Packages
Authentication Services Security
Authentication Services Registry Settings