Friday, July 30, 2004

Vote for my Whidbey X509CertificateEx bug...

The MS folks have done an excellent job in System.Security.Crytography but an surprising omission is the lack of an option to export the entire trust chain. The enumerations (X509IncludeOption) are already available and are used in other places, but aren't supported by X509CertificateEx .

This means that if a X509Certificate is exported, it won't have the entire trust chain that can traced back to the Root CA. This means that if you use this mechanism to say export your (WSE) signature / encryption certificate, you will have to go the additional process of manually exporting the trust chain and installing it on the remote machine.

This can be especially painful if you are trying to automate the entire deployment process. So please take a moment and let them know that it's important to get this bug fixed....



Blogger Atul said...

The folks at the BCL blog ( were kind enough to point me to the correct way to do this.

Call X509Chain and pass the certificate to be exported and stuff the X509CertificateEx in the resulting X509ChainElements into a X509CertificateExCollection. Calling Export on the collection will now have the desired effect of exporting the entire chain.

8:36 PM  

Post a Comment

<< Home