Does anyone have any information regarding the cert_cookie server variable and how it is generated? I can not find any information on this variable except that it "returns the unique ID for client certificate as a string."
It's only available on an HttpClientCertificate in ASP.NET, or via the server variables collection. If you look on an X509Certificate object, you don't have access to this information any more. I know that the thumbprint on the certificate is a SHA1 hash, but I have no idea how the cert_cookie is generated, and whether one can truly rely on it as a unique identifier for a client certificate.