More .NET components

X509 certificates

Certificates are used in TLS/SSL to validate a server in order to make sure you are connecting to the right one. Certificates can be used for client authentication as well. For more information, read our Introduction to Public Key Certificates.

Rebex FTP/SSL has its own Certificate class for working with X509 v3 certificates. It provides the following operations:

Loading certificates #

A certificate can be loaded from:

  • PKCS #12 (.p7b) and PFX (.pfx) files. These usually contain a private key.
  • DER files (.der/.cer), either binary or Base64-encoded. Private key can be loaded from an external key file.

CSharp

// load a certificate with private key from a PFX file
var cert1 = Certificate.LoadPfx(pfxPath, pfxPassword);

// load a certificate without a private key from a DER file
var cert2 = Certificate.LoadDer(derPath);

// load a certificate from a DER file and a private key from a key file
var cert3 = Certificate.LoadDerWithKey(derPath, keyPath, keyPassword);

VisualBasic

' load a certificate with private key from a PFX file
Dim cert1 = Certificate.LoadPfx(pfxPath, pfxPassword)

' load a certificate without a private key from a DER file
Dim cert2 = Certificate.LoadDer(derPath)

' load a certificate from a DER file and a private key from a key file
Dim cert3 = Certificate.LoadDerWithKey(derPath, keyPath, keyPassword)

Saving certificates #

A certificate can be saved either to a PKCS #12 or PFX file or to a DER file.
A certificate's private key (if exportable) can be saved either as a part of PFX file or separately using PKCS #8, PuTTY or OpenSSH format.

CSharp

// save a certificate with private key to a PFX file
cert.Save(@"c:\MyData\cert.pfx", CertificateFormat.Pfx, "password");

// save a certificate to a DER file
cert.Save(@"c:\MyData\cert.der", CertificateFormat.Der);

// save certificate's private key to a base-64 encoded PKCS #8 file
cert.SavePrivateKey(@"c:\MyData\cert.key", "password", PrivateKeyFormat.OpenSsh, true);

VisualBasic

' save a certificate with private key to a PFX file
cert.Save("c:\MyData\cert.pfx", CertificateFormat.Pfx, "password")

' save a certificate to a DER file
cert.Save("c:\MyData\cert.der", CertificateFormat.Der)

' save certificate's private key to a base-64 encoded PKCS #8 file
cert.SavePrivateKey("c:\MyData\cert.key", "password", PrivateKeyFormat.Base64Pkcs8, True)

Validating certificates #

To check whether a certificate is valid and trusted by Windows certificate infrastructure, use Certificate.Validate method.

CSharp

// validate a certificate
var res1 = cert.Validate();
if (!res1.Valid)
    Console.Write("Validation failed: {0} (error {1}).", res1.Status, res1.NativeErrorCode);

// validate a server certificate for 'serverName',
// skip revocation check and don't care if it's expired or not valid yet
var res2 = cert.Validate(serverName,
    ValidationOptions.SkipRevocationCheck |
    ValidationOptions.IgnoreTimeNotValid);
if (!res2.Valid)
    Console.Write("Validation failed: {0} (error {1}).", res2.Status, res2.NativeErrorCode);

VisualBasic

' validate a certificate
Dim res1 = cert.Validate()
If Not res1.Valid Then
    Console.Write("Validation failed: {0} (error {1}).", res1.Status, res1.NativeErrorCode)
End If

' validate a server certificate for 'serverName',
' skip revocation check and don't care if it's expired or not valid yet
Dim res2 = cert.Validate(serverName, _
        ValidationOptions.SkipRevocationCheck Or _
        ValidationOptions.IgnoreTimeNotValid)
If Not res2.Valid Then
    Console.Write("Validation failed: {0} (error {1}).", res2.Status, res2.NativeErrorCode)
End If

Legacy Windows CE platforms don't natively support certificates signed using algorithms based on SHA-2 hashes. As a workaround for this major OS limitation, we introduced a built-in certificate validator in the 2016 R3 release.

Windows certificate store management #

Microsoft Windows provides a system-wide storage for X509 certificates and private keys. The storage is used by applications such as Internet Explorer, Google Chrome, Microsoft Outlook or Windows Live Mail.

Windows certificate store can be managed using Rebex FTP/SSL CertificateStore class:

Manage personal certificate store

CSharp

// load a certificate from file
var cert = Certificate.LoadPfx(certPath, certPassword, KeySetOptions.Exportable);

// add the certificate to the "Personal Certificates" store
var store = new CertificateStore(CertificateStoreName.My);
store.AddCertificate(cert);

// find all not-expired certificates from issuer named "TestCA"
var dn = new DistinguishedName("CN=TestCA, O=Rebex, C=CZ");
var found = store.FindCertificates(dn, CertificateFindOptions.IsTimeValid);
Console.WriteLine("{0} certificates found.", found.Length);

// remove the certificate from store
store.Remove(cert);

VisualBasic

' load a certificate from file
Dim cert = Certificate.LoadPfx(certPath, certPassword, KeySetOptions.Exportable)

' add the certificate to the "Personal Certificates" store
Dim store = New CertificateStore(CertificateStoreName.My)
store.AddCertificate(cert)

' find all not-expired certificates from issuer named "TestCA"
Dim dn = New DistinguishedName("CN=TestCA, O=Rebex, C=CZ")
Dim found = store.FindCertificates(dn, CertificateFindOptions.IsTimeValid)
Console.WriteLine("{0} certificates found.", found.Length)

' remove the certificate from store
store.Remove(cert)

Add a certificate to trusted root certification authorities store

CSharp

// load a certificate from file
var cert = Certificate.LoadDer(certPath);

// add the certificate to the "Trusted Root Certificates" store
var store = new CertificateStore(CertificateStoreName.Root);
store.AddCertificate(cert);

VisualBasic

' load a certificate from file
Dim cert = Certificate.LoadDer(certPath)

' add the certificate to the "Trusted Root Certificates" store
Dim store = New CertificateStore(CertificateStoreName.Root)
store.AddCertificate(cert)
Tip: To manage Windows certificate store, you can use Internet Explorer (Tools / Internet options / Certificates) or the "Certificates" MMC snap-in.