I have several questions about the SslStream Class and about certificates

Question

I have looked at about 10-15 different pages about the SSlStream class and about certificates and I haven't found one that completely explains everything to me. So I have a bunch of questions.

I am currently working on some SslStream code and I have a question about certificates. From my research it appears that the server requires a certificate if we are using TSL12. And it appears optional that the client needs a certificate.

1) Now if we design a system that the client needs a certificate do we use the same certificate for the client and the server? Or do they both use different ones?

2) Also looking at the Microsoft SslStream help page: https://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.110).aspx How does the code know if those are the expected certificates?

3) In the Property page on a project under Signing you can Create a Test Certificate. When you click that button it asks for a Password. If a password is used how would that affect the SslStream code? The code on the Microsoft help page above doesn't deal with that at all?

4) Once I have a certificate for the server and the client can I just place them in a directory or do I need to put them in the store?

Thanks.

Answer 1

You can find most answers to your questions here

1. These are the different certificates. Client certificate used to check client identity. Server certificate used to encrypt key materials and to authenticate itself.

2. What means expected? You mean whether the client certificate is correct? You can write your own login to check client and certificate. By default expiration date is checked, where it's revoked or not etc. Read there to clarify.

3. It will create certificate and to use private key you will need to provide password to get it from storage
4. The base usage is to put it into the store. But you can also get it from .pfx file. You can read there about geting the key from file

Answer 2

1) Now if we design a system that the client needs a certificate do we use the same certificate for the client and the server? Or do they both use different ones?

The best practice is "one certificate per purpose". Think of a server authentication certificate as the "Warner Bros. Studios" sign hanging on the building as you pull up to the guard shack, and a client authentication certificate as an employee ID badge. They both inform the other party what's going on, but it feels a little out of place to then walk down the street to Universal and show your big Warner Bros. sign as identification.

2) Also looking at the Microsoft SslStream help page: https://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.110).aspx How does the code know if those are the expected certificates?

The server authentication certificate you provide is correct, because you provided it.

If you give only one client auth cert, that's correct, because you provided it.

If you give multiple client auth certs then it will use an acceptable CAs list provided by the server TLS handshake to reduce the list, then it takes the first one that was acceptable.

3) In the Property page on a project under Signing you can Create a Test Certificate. When you click that button it asks for a Password. If a password is used how would that affect the SslStream code? The code on the Microsoft help page above doesn't deal with that at all?

Certificates don't have passwords, but PFX/PKCS#12 files do. You need that password to load the file into an X509Certificate2 instance (e.g. new X509Certificate2("servercert.pfx", "1Potato2Potato3Potato4")). Since SslStream won't do the loading for you, it doesn't talk about passwords.

4) Once I have a certificate for the server and the client can I just place them in a directory or do I need to put them in the store?

They should work fine when loaded from a PFX (you need the private key, so it can't be just a .cer). If the certificates can be one-time loaded into cert stores you can avoid the problem of loading or hard-coding PFX passwords... but that just depends on your deployment needs.