Can .NET's X509Store be used to get certificates from remote Linux stores?

Question

I'm writing a service to periodically traverse certificate stores on remote servers in production, for the purpose of tracking certificates used, where, and their expiration dates, in case some were not updated as required.

Traversing the Windows servers works as expected. But I'm not sure what to do with Tomcat stores on (Ubuntu) linux. Does the X509Store object have the capability to target remote Linux machines? And how do the StoreName and StoreLocation concepts map there? How do I authenticate? I'm assuming it'll want an SSH session to attempt to connect to the stores. Yeh, I don't know where to start.

using(var store = new X509Store($@"\\{serverName}\{storeName}", StoreLocation.LocalMachine))
{
    store.Open(OpenFlags.ReadOnly);
    foreach(var cert in store.Certificates)
    {
        var issuedTo = cert.GetNameInfo(X509NameType.SimpleName, false);

Answer 1

No. The X509Store API on Linux tries to emulate the Windows behavior to a local process, but it has no remote capabilities.

On Windows the real implementation of X509Store is the CAPI CertStore* APIs, which have an intrinsic cross-machine communication capability (probably through WinRPC); but they're fundamentally part of the OS.

On Linux the functionality is only provided by the System.Security.Cryptography.X509Certificates library, and so there's nothing at all listening remotely.

On macOS there's probably nothing listening remotely, but the X509Store classes are interpretations and projections of the SecKeychain* and SecTrust* APIs of Security.framework, so there may be some level of remote interaction at the lower level.