using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.Collections;
using System.Collections.Generic;
using System.Net.Sockets;
public static void Main(string[] args)
Connect("www.google.com");
Connect("incomplete-chain.badssl.com");
private static void Connect(string url)
new SslStream(new TcpClient(url, 443).GetStream(), false,
new RemoteCertificateValidationCallback(ServerCertificateValidationCallback))
.AuthenticateAsClient(url);
private static bool ServerCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
if (sslPolicyErrors != SslPolicyErrors.None)
var certs = chain.ChainPolicy.ExtraStore;
Console.WriteLine("Certificate Subjects:");
Console.WriteLine(x.Subject);
var store = GetRootCertificates().Select(x => x.Subject).ToList();
for (var i = certs.Count - 1; i >= 0; i--)
if (certs[i].Issuer != certs[i - 1].Subject)
if (store.Contains(certs[i].Issuer))
Console.WriteLine($"This chain is {(result ? "" : "not ")}valid");
private static List<X509Certificate2> GetRootCertificates()
var certificates = new List<X509Certificate2>();
new X509Store(StoreName.Root, StoreLocation.LocalMachine),
new X509Store(StoreName.Root, StoreLocation.CurrentUser)
var certCollection = new X509Certificate2Collection();
foreach (var store in stores)
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 x509 in store.Certificates)