micahhoover micahhoover - 3 months ago 27
C# Question

filtering client certificates like browser

I have a smart card reader. When I attempt to visit a website that accepts client certificates, the browser gives me a list of 2 or 3 client certificates.

All of these certificate options are closely related to cards that have been used from my machine.

When I try to access these options via the X509Store class in .NET, I get back 256 options. That is too many for the user to sort through!

X509Store store = new X509Store("MY", StoreLocation.CurrentUser);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);


Most of the certificates the user should NOT pick start with an asterix, so I can easily filter out 80% or so. For example:


*.amazonaws.com
*.slashdotmedia.com
*.msedge.net


My question is: how can I narrow the options down to a manageable level like my browser (chrome) but from .NET ?

Answer

First of all: open certificate store as read-only:

store.Open(OpenFlags.ReadOnly);

next, you have to filter by application policy = client authentication:

var certs = store.Certificates.Find(X509FindType.FindByApplicationPolicy, "1.3.6.1.5.5.7.3.2", true);

certs variable will store only valid certificates (trusted, non-revoked, time-valid, etc.) and which are suitable for client authentication.

when done, close the store:

store.Close();
Comments