views:

533

answers:

4

I have a C# form (running on the client machine) which gathers all the user X509Certificates from the store, presents them to the user so they can pick the one they want to use. Then I pass the cert off to a webservice to do some work. This all works great! Problem is, the user is never prompted for the X509Certificate password? I can't find a method to "check password" once I have the X509Certificate from the store. I also thought about using the X509Certificate constructor, which needs the path and password, but I don't see a method to get the file path and name from the X509Certificate I grabbed from the store? Is it secure to just grab the certificate from the store and not ask for the user's password?

This is how I'm grabbing from the store:

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
for (int i = 0; i < store.Certificates.Count; i++) 
{
    X509Certificate c = store.Certificates[i];
    ...//add to GUI for user to pick here....
}

Thanks for any help, Steve

A: 

If you choose to use a certificate from cryptographic device like eToken or SmartCard you will be automatically prompted to enter the password (password for the device, not certificate). In other cases I don't think you should care about it. You can easily access the local store without any passwords in Windows, so why would you pass-protect them in the app.

RaYell
Thanks for the reply.That's why I want to ask for the password - I want to ensure the person using the cert is actually the cert owner.
A: 

it depends wether the certificate's private key is protected by a password or not. If you accecss such a certificate from the store, windows should prompt you to enter it.

Johannes Rudolph
Yes, that's exactly what I was thinking...the cert is password protected, yet I don't get the prompt. I am testing against my own cert, which when I use it in other web applications, I DO get the prompt? I also get it in Outlook when digitally signing messages?
Perhaps I need to access something in the cert before it prompts me?Currently all I grab is the SubjectName from the cert and pass it to the webservice to authenticate.
A: 

That was it...thanks for the help, you guys helped me narrow down the problem. I added a line in there to access the privatekey from the cert and it then prompted me for the password.

Thanks! Steve

A: 

Hi! I´m dealin wth the same problem... my program open a certificate, and I need to pass it the password to get the private key to do my signing....or am I wrong?