stackoom
  简体   繁体   中英

Clearly recognize a certificate in Windows certificate store

 原文  2012-05-03 09:40:14       c#/ windows/ ssl/ cryptography/ x509certificate

Question

I'm developing a library which generates XML data and signates the generated XML. I've installed a pkcs12 certificate (generated with OpenSSL from pem file) into the windows certificate store.

I'm loading the certificate from C# code with 

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = null;

foreach (var item in store.Certificates)
{
    if (item.SubjectName.Name.Contains("CN=IDENTIFIER"))
    {
        cert = item;
        break;
    }
}
store.Close();

In my case the CN identifier is: my prename + surname. The cert comes from a third party. So I think I have no influence on the identifiers.

And here comes the question:

Is there any way to identify exactly this certificate from C#. In future it could be possible, that multiple certificates have the same X509 parameters (CN etc etc).

Thank you in advance.

2 answers

solution1
 3 ACCPTED  2012-05-03 09:53:11

Yes, it's possible that CN contains the same identifier (eg. when the certificate is issued for business entity).

Certificates are usually distinguished by one of following combinations: 1) Issuer name (not CN, but RDN, complete name record with multiple fields) + certificate serial number (it's unique within one CA) 2) Issuer name + certificate hash

If you don't know the issuer name before searching for the certificate, you can present the list of found certificates to the user and once he select one of certificates, store certificate hash for future reference.

On smaller systems (end-user's computer) the number of certificates in MY store is usually small and the chance of hash collision is minimal. On large systems the chance is higher and that's why Issuer name is used as well.

solution2
 3  2012-05-03 12:25:08

Expanding on Eugene's answer...

The Certificates property of X509Store is an X509CertificateCollection .

You'll probably be interested in its Find method and the X509FindType . It offers a number of ways to search for a certificate. Strictly speaking, both the subject DN and the subject alternative names should matter to identify the entity associated with a certificate. However, few tools do this from a presentation point of view (this could get quite cluttered in a table for example).

As GregS and Eugene pointed out, the certificate thumbprint (also known as fingerprint/hash in other tools) will identify a specific certificate uniquely, irrespectively of its issuer. It can be used with X509FindType .

Thumbprints are used in multiple places in the Windows/.Net/SSL world. In particular, it's the way to pick a given certificate to install on an HTTPS port .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Windows certificate store How to open a Windows Service certificate store? Using client certificate not in certificate store Using C#, how to programmatically determine if a certificate in a Windows certificate store has been disabled How to use windows store certificate (X509Certificate2) in GRPC server using .Net framework 4.7? locating a specific certificate from the Windows certificate store (C# - ASP.Net) Service account cannot load the X509Certificate from windows certificate store Import BouncyCastle X509Certificate + Private Key (RSA) into Windows Certificate Store Install certificates in to the Windows Local user certificate store in C# Where to store X509 certificate for Windows service?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM