Extension to the .NET X509Store to access Win Service-specific certificate stores
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
.gitignore
LICENSE
README.md
Zyborg.Security.Cryptography.ServiceCertStore.sln
version.props

README.md

Zyborg.Security.Cryptography.ServiceCertStore

Extension to the .NET X509Store to access Win Service-specific certificate stores


Nuget Library

PowerShell Module


Use this extension to the BCL X509Store class to support access to Windows Service-specific certificate stores. See this blog for the nitty gritty details.

By default the X509Store class only allows access to the stores defined in the StoreLocation enumeration, which is limited to either the CurrentUser or the LocalMachine.

But installed Windows Services may have their own instance of a Certificate Store as well, and there are certain scenarios where accessing this store is useful or exposes additional functionality. One concrete example would be the ability for the NTDS Windows Service to automatically detect and select updated certificates in its personal store to be used for securing the LDAPS endpoint, available since Windows 2008 (see the end of this article).

This extension allows you to target a specific named certificate stored under the context of a Windows Service. Example usage:

public void EnumerateNtdsCerts()
{
    using (var store = ServiceCertStore.OpenStore("NTDS", StoreName.My))
    {
        foreach (var c in store.Certificates)
        {
            Console.WriteLine($"{c.Thumbprint} : {c.Subject}");
        }
    }
}