Using the System.Security. Cryptography. X509Certificates Namespace

Using the System.Security. Cryptography. X509Certificates Namespace

The System.Security.Cryptography.X509Certificates namespace is especially important because it provides the classes you use to work with these digital signatures. Many developers know the X.509 certificate by another name, the Public Key Infrastructure (PKI). You can learn more about the relationship between these two terms and obtain a list of associated standards at the Internet Engineering Task Form (IETF) site at http://www.ietf.org/html.charters/pkix-charter.html.

Whenever you get a certificate from a third party or generate one using a local server (see the “Getting Your Own Certificate” section for details), the resulting certificate is an X.509 certificate. However, not all X.509 certificates are created alike. The certificate still isn’t quite standardized, so a certificate that works fine in some places may not work everywhere.

Double-click on a CRT (certificate) file and you’ll see a General tab that contains information about the issuer and recipient of the certificate, along with dates the certificate is valid. This tab also contains an Install Certificate button you can use to install the certificate on your machine. The Details tab shown in Figure 7.11 is the one that you’re interested in as a developer. Notice that this tab lists the specifics of the certificate including the all-important Version field (highlighted in the figure). To use a certificate with .NET, it must be version 3 or above.

Figure 7.11: The Details tab of the Certificate dialog box provides interesting facts about the certificate and its origin.

Click the Copy to File button shown in Figure 7.11 and you’ll see a Certificate Export Wizard dialog box. If you want to use an exported certificate in a Visual Studio .NET program, you must export it using the DER Encoded Binary X.509 (.CER) option or the certificate will fail to load. The example shown in Listing 7.7 assumes that you’ve created a certificate and exported it as a Distinguished Encoding Rules (DER) encoded binary. I’ve included a sample certificate with the source code for this chapter. You’ll find this example in the \Chapter 07\C#\X509Cert and \Chapter 07\VB\X509Cert folders of the source code located on the Sybex Web site.

Listing 7.7 Reading an X.509 Certificate

private void btnTest_Click(object sender, System.EventArgs e) {    String            CertPath;   // Certificate path.    X509Certificate   MyCert;     // The certificate.    StringBuilder     CertData;   // Certificate information to display.    // Create the certificate path string.    CertPath = Application.ExecutablePath;    CertPath = CertPath.Substring(0, CertPath.LastIndexOf(@"\") + 1)               + "MyCertificate.CER";    // Load the certificate.    MyCert = X509Certificate.CreateFromCertFile(CertPath);    // Get the certificate information.    CertData = new StringBuilder();    CertData.Append("Issuer Name: ");    CertData.Append(MyCert.GetIssuerName());    CertData.Append("\r\nName: ");    CertData.Append(MyCert.GetName());    CertData.Append("\r\nEffective Date: ");    CertData.Append(MyCert.GetEffectiveDateString());    CertData.Append("\r\nExpiration Date: ");    CertData.Append(MyCert.GetExpirationDateString());    CertData.Append("\r\nHash: ");    CertData.Append(MyCert.GetCertHashString());    CertData.Append("\r\nFormat: ");    CertData.Append(MyCert.GetFormat());    CertData.Append("\r\nKey Algorithm: ");    CertData.Append(MyCert.GetKeyAlgorithm());    CertData.Append("\r\nKey Algorithm Parameters: ");    CertData.Append(MyCert.GetKeyAlgorithmParametersString());    CertData.Append("\r\nPublic Key String: ");    CertData.Append(MyCert.GetPublicKeyString());    CertData.Append("\r\nSerial Number: ");    CertData.Append(MyCert.GetSerialNumberString());    // Display the information on screen.    MessageBox.Show(CertData.ToString(), "Sample Certificate Data",                    MessageBoxButtons.OK, MessageBoxIcon.Information); }

As you can see, the .NET Framework provides a wealth of information about the X.509 certificates. You can load either a DER encoded file using the CreateFromCertFile() method or a signed file using the CreateFromSignedFile() method. Once you load a certificate, you can use any of the methods shown to determine facts about the certificate, such as its expiration date.

The .NET Framework also makes an X509CertificateCollection class available. This class lets you work with cerificates in the local machine store. You can list the existing certificates, delete old certificates, or add new certificates. None of the existing classes lets you work with other machines. For example, you couldn’t easily build a program to add certificates to a remote machine.