Troubleshooting with creation certificate chain using my Private Certificate Authority


Hi, I have trouble creating a certificate chain. I'm trying to create x509chain of signed certificate and CA of my AWS Private Certificate Authority. So I have this code:

private async Task<X509Certificate2?> RequestSign(byte[] csr)
            var issueCertificateRequest = new IssueCertificateRequest
                CertificateAuthorityArn = _arn,
                Csr = new MemoryStream(csr),
                SigningAlgorithm = SigningAlgorithm.SHA256WITHECDSA,
                Validity = new Validity
                    Type = ValidityPeriodType.DAYS,
                    Value = 365
            var issueCertificateResponse = await _client.IssueCertificateAsync(issueCertificateRequest);
            if (issueCertificateResponse == null || issueCertificateResponse.HttpStatusCode != System.Net.HttpStatusCode.OK)
                return null;
            var request = new GetCertificateRequest()
                CertificateArn = issueCertificateResponse.CertificateArn,
                CertificateAuthorityArn = _arn,
            var response = await _client.GetCertificateAsync(request);
            if (response == null || response.HttpStatusCode != System.Net.HttpStatusCode.OK)
                return null;
            return X509Certificate2.CreateFromPem(response.Certificate);

This function signs certificate using ARN of IssueCertificateRequest and creates X509Certificate2 certificate. Also I export CA certificate using CertificateChain fields from response and it's a public key of CA certificate. Then I try to build chain:

using (X509Chain x509Chain = new X509Chain())
         foreach (X509Certificate2 additionalCertificate in Chains())
         x509Chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
         x509Chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
         x509Chain.ChainPolicy.DisableCertificateDownloads = false;
         var t = x509Chain.Build(LoadLeathWithPrivateKey());
         Console.WriteLine($"Chain Elements Count: {x509Chain.ChainElements.Count}");

And this x509Chain contains only 1 certificate but It has to contain 2. So it looks like public CA (that which was exported from response.CertificateChain didn't sign my certificate. How can I resolve this issue ?

demandé il y a 3 mois65 vues
Aucune réponse

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions