Client cert from local windows repository?

Jan 5, 2009 at 3:23 AM
Hi Alessandro,

I figured this topic needed it's own thread..

Would it be possible to permit client certificates from the local windows certificate repository? I don't know if it'll work on MONO, but it's critical for me to pull the certificate from windows and not a file. Why? The certificates in use are marked not-for-export of the private key. So, there's assurance the certificate stays with the machine.

I don't know if this is helpful, but I've been using the following code - feed it a certificate subject and returns a certificate object:

   Private Function get_client_cert(ByVal certificate_subject As String)
        If certificate_subject = "" Then
            Return False
        End If
        Dim certificate_store As X509Store = New X509Store(StoreName.My, StoreLocation.LocalMachine)
        Dim certificates As X509Certificate2Collection = certificate_store.Certificates.Find(X509FindType.FindBySubjectName, certificate_subject, True)
        Dim certificate As X509Certificate2 = Nothing
        If certificates.Count < 1 Then
            console.writeline("No matching certificate found!")
            get_client_cert = ""
        End If
        If certificates.Count >= 1 Then
            For i As Int16 = 0 To certificates.Count - 1
                If certificates(i).GetExpirationDateString > Date.UtcNow Then
                    certificate = certificates(i)
                    Exit For
                End If
        End If
        get_client_cert = certificate

        certificate = Nothing
        certificates = Nothing
        certificate_store = Nothing
    End Function

I think it's largely taken from microsoft sample, so i can't take authorship.

You're already using System.Security.Cryptography.X509Certificates, so it should be an easy drop-in.
What do you think?
Thanks in advance!

Jan 6, 2009 at 1:16 AM

thanks for the suggestion, the support form MS certificate stores was excluded due to the lack of compatibility with Mono.

Anyway it is quite useful, as it avoids the need to export certificaes, so the feature will be included in the next release.