How to read X509 certificates in C#

This ASP.NET Security tutorial explains how to read X509 certificates in C#.

X509 certificates play an important role in the world of the Web, because they establish SSL communication and perform certificate authentication to secure traffic between the web server and its clients. Our site provides more details in the articles How does Secure Sockets Layer (SSL) technology workHow do certificates work and  How does SSL work with asymmetric encryption.

For simple SSL connection, you don’t need access to certificates store. When you have to call web services or web applications in your code hosted on a different server that requires you to authenticate with an X509 certificate, application has to read the certificate from the Windows certificate store and then add the certificate to the web request (or the web service proxy) before actually sending the request. The System.Security.Cryptography.X509Certificates namespace includes several classes which cover this need. They are:

 

Class name

Description

X509Certificate

This class encapsulate X509 certificates and allow you to load certificates from various stores such as the file system and give you access to the properties of a certificate. The X509Certificate class is the one provided originally with the very first versions of the .NET Framework. The X509Certificate2 is an extension to the X509Certificate class and includes a number of additional methods and properties.

X509Certificate2

The X509Certificate2 is an extension to the X509Certificate class and includes a number of additional methods and properties.

X509Store

This class gives you access to the Windows certificate storage, which is a special storage area where Windows stores all certificates. For every user, Windows creates such a store (accessible through StoreLocation.CurrentUser), and for the machine it manages exactly one store StoreLocation.LocalMachine). User storages are accessible only for the users they are created for, while the machine store stores certificates that are accessible for all users working with a machine.

X509CertificateCollection

This simple class representing a collection of X509Certificate and X509Certificate2 instances that represent single certificates.

The X509Store allows you to retrieve either a list of certificates or single certificates based on one of their unique identifiers (such as the certificate’s subject key, subject name, or hash).

 

The next code lines show how you can read a certificate from the store and assign it to a web request in your application:

 

 

X509Certificate2 Certificate = null;

// Read the certificate from the store

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

store.Open(OpenFlags.ReadOnly);

try

{

// Try to find the certificate

// based on its common name

X509Certificate2Collection Results =

store.Certificates.Find(

X509FindType.FindBySubjectDistinguishedName,

“CN=Tom, CN=Clancy”, false);

if (Results.Count == 0)

throw new Exception(“Unable to find certificate!”);

else

Certificate = Results[0];

}

finally

{

store.Close();

}

 

This code opens the personal certificate store of the local machine by using the X509Store class. It then tries to find a certificate with the subject name “CN=Tom, CN=Clancy” in this store. The syntax used here is the common name syntax that you probably know from LDAP directory systems as well.