Network Programming in .NET

Security certificates can be DV (Domain Validation), OV (Organisation Validation) or EV (Enhanced Validation).

DV will prove that the domain you are visiting is what it says it is, but says nothing about the organisation that runs the domain. It’s perfectly possible for a hacker legally purchase the domain “Micr0s0ft.com” (note the zero), and get a DV SSL cert for it. The DV is not saying that the hacker has any relation to the company “Microsoft Inc”, it’s just saying that the domain has been externally validated to respond to a basic ownership challenge.

OV and EV go a step further, and the certificate issuer will take extra manual steps to verify, that the domain is owned by a given company, and/or at a particular address.

This level of EV validation is then stored in the Subject line of the Certificate, and can be read by all visitors of the site. Browsers will typically highlight the extra level of trust and verification with a green tick in the address bar.

Reading and parsing the subject line can be done with some C# code shown at this repo; https://github.com/infiniteloopltd/EvCertParser

The code to get the cert is as follows;

public async Task<EvCertificate> Request(string url)
{
	EvCertificate certificate = null;
	var handler = new HttpClientHandler
	{
		UseDefaultCredentials = true,
		ServerCertificateCustomValidationCallback = (sender, cert, chain, error) =>
		{
			var export = cert.Export(X509ContentType.SerializedCert);
			certificate = new EvCertificate(export);
			return error == SslPolicyErrors.None;
		}
	};
	using var client = new HttpClient(handler);
	using var response = await client.GetAsync(url);
	return certificate;
}

Which can evidently throw errors if the URL is invalid, doesn’t have a cert, or an invalid cert.