CODEWITHSUNDEEP
c#windowssslcryptographyx509certificate
csteinmueller
csteinmueller

Reputation: 2487

Clearly recognize a certificate in Windows certificate store

I'm developing a library which generates XML data and signates the generated XML. I've installed a pkcs12 certificate (generated with OpenSSL from pem file) into the windows certificate store.

I'm loading the certificate from C# code with 

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = null;

foreach (var item in store.Certificates)
{
    if (item.SubjectName.Name.Contains("CN=IDENTIFIER"))
    {
        cert = item;
        break;
    }
}
store.Close();

In my case the CN identifier is: my prename + surname. The cert comes from a third party. So I think I have no influence on the identifiers.

And here comes the question:

Is there any way to identify exactly this certificate from C#. In future it could be possible, that multiple certificates have the same X509 parameters (CN etc etc).

Thank you in advance.

Upvotes: 4

Views: 2417

Answers (2)

Bruno
Bruno

Reputation: 122659

Expanding on Eugene's answer...

The Certificates property of X509Store is an X509CertificateCollection.

You'll probably be interested in its Find method and the X509FindType. It offers a number of ways to search for a certificate. Strictly speaking, both the subject DN and the subject alternative names should matter to identify the entity associated with a certificate. However, few tools do this from a presentation point of view (this could get quite cluttered in a table for example).

As GregS and Eugene pointed out, the certificate thumbprint (also known as fingerprint/hash in other tools) will identify a specific certificate uniquely, irrespectively of its issuer. It can be used with X509FindType.

Thumbprints are used in multiple places in the Windows/.Net/SSL world. In particular, it's the way to pick a given certificate to install on an HTTPS port.

Upvotes: 4

Eugene Mayevski 'Callback
Eugene Mayevski 'Callback

Reputation: 46050

Yes, it's possible that CN contains the same identifier (eg. when the certificate is issued for business entity).

Certificates are usually distinguished by one of following combinations: 1) Issuer name (not CN, but RDN, complete name record with multiple fields) + certificate serial number (it's unique within one CA) 2) Issuer name + certificate hash

If you don't know the issuer name before searching for the certificate, you can present the list of found certificates to the user and once he select one of certificates, store certificate hash for future reference.

On smaller systems (end-user's computer) the number of certificates in MY store is usually small and the chance of hash collision is minimal. On large systems the chance is higher and that's why Issuer name is used as well.

Upvotes: 4

Related Questions