Wednesday 30 November 2016

SignedCms CmsSigner error A certificate chain could not be built to a trusted root authority

While trying to sign bytes through X509Certificate2 it was throwing exception
"System.Security.Cryptography.CryptographicException: A certificate chain could not be built to a trusted root authority""

I made an small changes and now every thing is working fine with signer.IncludeOption = X509IncludeOption.EndCertOnly;

My modified code is


private static byte[] Sign(byte[] data, X509Certificate2 certificate)
{
    if (data == null)
        throw new ArgumentNullException("data");
    if (certificate == null)
        throw new ArgumentNullException("certificate");

    X509Chain ch = new X509Chain();
    ch.Build(certificate);
    
 // setup the data to sign
    System.Security.Cryptography.Pkcs.ContentInfo content = new System.Security.Cryptography.Pkcs.ContentInfo(data);
    SignedCms signedCms = new SignedCms(content, false);
    CmsSigner signer = new CmsSigner(SubjectIdentifierType.IssuerAndSerialNumber, certificate);
    signer.IncludeOption = X509IncludeOption.EndCertOnly;// Use if Error: A certificate chain could not be built to a trusted root authority.
    
 // create the signature
    signedCms.ComputeSignature(signer);
    return signedCms.Encode();
}


Microsoft Reference
https://blogs.msdn.microsoft.com/dsnotes/2014/08/26/using-x509includeoption-to-avoid-system-security-cryptography-cryptographicexception-a-certificate-chain-could-not-be-built-to-a-trusted-root-authority/