Re: How to programmatically retrieve certificate from system key store
From: Michel Gallant \(MVP\) (neutron_at_istar.ca)
Date: 04/25/03
- Previous message: Sean: "Re: User Machine"
- In reply to: Mart: "How to programmatically retrieve certificate from system key store"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Apr 2003 17:28:37 -0400
Currently .net framework does not provide good support for
instantiating certs from system stores.
You can do this using P/Invoke and capi functions, or even simpler,
invoking COM interop with CAPICOM (which is a COM wrapper
on capi).
[The IntPtr handle is a certificate context which you can get via capi
fns quite easily.]
I'll be posting a few samples on this in a day or so.
- Mitch
"Mart" <mart1041.nospam@yahoo.com.au> wrote in message
news:uWUzzBvCDHA.2412@TK2MSFTNGP10.phx.gbl...
> Please someone correct me if any of these assumptions are false:
>
> When using client authenticated web services in a .NET client, the API
> requires you to add the required certificate to the ClientCertificates
> property of the web service class.
> Because a certificate doesn't actually contain a private key, which is
> required for SSL authentication, the specified certificate must already be
> installed in the system key store (ie Internet Explorer), with its
> corresponding private key.
> The API then finds the private key by looking up the certificate you
> specified in the system key store.
>
> The certificates are of the type X509Certificate, and the only methods
> available in the X509Certificate class for creating these objects are from a
> file, byte array, or an IntPtr handle.
> This means that in order to use a private key already installed in IE, I
> have to manually export its certificate to a file, which can then be read by
> the client program.
>
> My question is this:
> How do I get an IntPrt handle which directly points to a certificate in the
> system key store? This would avoid the need to export the certificate file.
>
> The bigger question is why the API was designed this way to start with. Why
> doesn't it allow you to:
> a) Specify simply the name of a certificate which is installed in the
> system key store. It has to be there anyway because its private key needs
> to be looked up
> b) Specify a PKCS#12 file, so that the private key and certificate can be
> retrieved from the file without it having to be installed in the system key
> store.
>
> I assume there must be an error in my assumptions somewhere, because I can't
> believe the API would have such an obvious omission.
>
> Thanks for any help
> Martin Jericho
>
>
>
- Previous message: Sean: "Re: User Machine"
- In reply to: Mart: "How to programmatically retrieve certificate from system key store"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
