Rebex File Transfer Pack

SFTP/FTP client, SFTP/SSH server libraries for .NET

Download 30-day free trial Buy from $699

Save 33% by buying bundle (Purchased individually: $1047)

More .NET libraries

Back to feature list...

X.509 certificates

Certificates are used in TLS/SSL to validate a server in order to make sure you are connecting to the right one. Certificates can be used for client authentication as well. For more information, read our Introduction to Public Key Certificates.

Rebex File Transfer Pack has its own Certificate class for working with X.509 v3 certificates. It provides the following operations:

Loading certificates 

A certificate can be loaded from:

  • PKCS #12 (.p7b) and PFX (.pfx) files. These usually contain a private key.
  • DER files (.der/.cer), either binary or Base64-encoded. Private key can be loaded from an external key file.
// load a certificate with private key from a PFX file
var cert1 = Certificate.LoadPfx(pfxPath, pfxPassword);

// load a certificate without a private key from a DER file
var cert2 = Certificate.LoadDer(derPath);

// load a certificate from a DER file and a private key from a key file
var cert3 = Certificate.LoadDerWithKey(derPath, keyPath, keyPassword);
' load a certificate with private key from a PFX file
Dim cert1 = Certificate.LoadPfx(pfxPath, pfxPassword)

' load a certificate without a private key from a DER file
Dim cert2 = Certificate.LoadDer(derPath)

' load a certificate from a DER file and a private key from a key file
Dim cert3 = Certificate.LoadDerWithKey(derPath, keyPath, keyPassword)

Saving certificates 

A certificate can be saved either to a PKCS #12 or PFX file or to a DER file.
A certificate's private key (if exportable) can be saved either as a part of PFX file or separately using PKCS #8, PuTTY or OpenSSH format.

// save a certificate with private key to a PFX file
cert.Save(@"c:\MyData\cert.pfx", CertificateFormat.Pfx, "password");

// save a certificate to a DER file
cert.Save(@"c:\MyData\cert.der", CertificateFormat.Der);

// save certificate's private key to a base-64 encoded PKCS #8 file
cert.SavePrivateKey(@"c:\MyData\cert.key", "password", PrivateKeyFormat.OpenSsh, true);
' save a certificate with private key to a PFX file
cert.Save("c:\MyData\cert.pfx", CertificateFormat.Pfx, "password")

' save a certificate to a DER file
cert.Save("c:\MyData\cert.der", CertificateFormat.Der)

' save certificate's private key to a base-64 encoded PKCS #8 file
cert.SavePrivateKey("c:\MyData\cert.key", "password", PrivateKeyFormat.Base64Pkcs8, True)

Validating certificates 

To check whether a certificate is valid and trusted by Windows certificate infrastructure, use Certificate.Validate method.

Legacy Windows CE platforms don't natively support certificates signed using algorithms based on SHA-2 hashes. As a workaround for this major OS limitation, we introduced a built-in certificate validator in the 2016 R3 release.

// validate a certificate
var res1 = cert.Validate();
if (!res1.Valid)
    Console.Write("Validation failed: {0} (error {1}).", res1.Status, res1.NativeErrorCode);

// validate a server certificate for 'serverName',
// skip revocation check and don't care if it's expired or not valid yet
var res2 = cert.Validate(serverName,
    ValidationOptions.SkipRevocationCheck |
    ValidationOptions.IgnoreTimeNotValid);
if (!res2.Valid)
    Console.Write("Validation failed: {0} (error {1}).", res2.Status, res2.NativeErrorCode);
' validate a certificate
Dim res1 = cert.Validate()
If Not res1.Valid Then
    Console.Write("Validation failed: {0} (error {1}).", res1.Status, res1.NativeErrorCode)
End If

' validate a server certificate for 'serverName',
' skip revocation check and don't care if it's expired or not valid yet
Dim res2 = cert.Validate(serverName, _
        ValidationOptions.SkipRevocationCheck Or _
        ValidationOptions.IgnoreTimeNotValid)
If Not res2.Valid Then
    Console.Write("Validation failed: {0} (error {1}).", res2.Status, res2.NativeErrorCode)
End If

Windows certificate store management 

Microsoft Windows provides a system-wide storage for X.509 certificates and private keys. The storage is used by applications such as Internet Explorer, Google Chrome, Microsoft Outlook or Windows Live Mail.

Windows certificate store can be managed using CertificateStore class:

Manage personal certificate store

// load a certificate from file
var cert = Certificate.LoadPfx(certPath, certPassword, KeySetOptions.Exportable);

// add the certificate to the "Personal Certificates" store
var store = new CertificateStore(CertificateStoreName.My);
store.Add(cert);

// find all not-expired certificates from issuer named "TestCA"
var dn = new DistinguishedName("CN=TestCA, O=Rebex, C=CZ");
var found = store.FindCertificates(dn, CertificateFindOptions.IsTimeValid);
Console.WriteLine("{0} certificates found.", found.Length);

// remove the certificate from store
store.Remove(cert);
' load a certificate from file
Dim cert = Certificate.LoadPfx(certPath, certPassword, KeySetOptions.Exportable)

' add the certificate to the "Personal Certificates" store
Dim store = New CertificateStore(CertificateStoreName.My)
store.Add(cert)

' find all not-expired certificates from issuer named "TestCA"
Dim dn = New DistinguishedName("CN=TestCA, O=Rebex, C=CZ")
Dim found = store.FindCertificates(dn, CertificateFindOptions.IsTimeValid)
Console.WriteLine("{0} certificates found.", found.Length)

' remove the certificate from store
store.Remove(cert)

Add a certificate to trusted root certification authorities store

// load a certificate from file
var cert = Certificate.LoadDer(certPath);

// add the certificate to the "Trusted Root Certificates" store
var store = new CertificateStore(CertificateStoreName.Root);
store.Add(cert);
' load a certificate from file
Dim cert = Certificate.LoadDer(certPath)

' add the certificate to the "Trusted Root Certificates" store
Dim store = New CertificateStore(CertificateStoreName.Root)
store.Add(cert)
Tip: To manage Windows certificate store, you can use Internet Explorer (Tools / Internet options / Certificates) or the "Certificates" MMC snap-in.

Back to feature list...