Use Windows Store for certificate management

Questions regarding the use of the .NET SDK 2.0 for Server or Client development or integration into customer products ...

Moderator: uasdknet

Post Reply
ArnaudDebaene
Jr. Member
Jr. Member
Posts: 1
Joined: 16 Dec 2020, 15:59

Use Windows Store for certificate management

Post by ArnaudDebaene »

Hello,

My sceanrio is developing an OPC UA server application.

According to documentation, the .NET Server SDK uses its own, directory based, repository for certificates management (with subdirectories "issuers", "own", "rejected", "trusted").

Is there a way to use the Windows certificate store (either User or Machine) instead of this directory mechanism?

More specifically, is it possible that the SDK uses the "Root Authorities Certificates" sub-store to validate incoming client certificates (apart from the obvious but manual and tedious solution to export all these CA certificates as .der files) ??
Reason is that administrators want to have a centralized mechanism to manage PKI infrastucture, and do not want to have separate mechanisms for each application that uses PKI.

Concerning the server own certificate, I found the ApplicationInstanceBase.ChangeCertificate that allows to set a certificate that is read from the Windows store. Is that the correct way to do it?

Thanks.

Unknown User
Jr. Member
Jr. Member
Posts: 4
Joined: 05 Jul 2021, 16:44

Re: Use Windows Store for certificate management

Post by Unknown User »

Hi,

I am also very interested in this topic.

Mainly I have 2 questions:

1) How do I manage to use a certificate from a windows certificate store (X509Certificate2 from System.Security.Cryptography.X509Certificates) as the local application instance certificate?
I know the SecurityUtils.LoadCertificate method should be used for accomplishing this task and while I am able to create an ICertificate object with it, the Certificate does not include the private key, even though the original certificate it was loaded from has it.
I tried to add the private key after creation by setting the InternalCertificate.PrivateKey property, but I always get "ERROR: Operation is not supported on this platform." when trying to do this.
How do I solve this problem?

2) Is there a way to directly use a windows certificate store as e.g. the server's TrustedCertificateStore? If so, how can I accomplish this?
If not, what is the next best way? I was thinking of using the UntrustedCertificateEventHandler and manually look for the provided certificate in the windows certificate store. Is there an easier way?

Would really appreciate a response.

Best regards,
Stefan

Post Reply