.NET core X509Store on linux

Question

Where are the certificate files located in linux when using the .NET Core 2 X509Store?

On Windows, the certificates are accessible from the management console certlm.msc or with New-SelfSignedCertificate in powershell. Using .NET APIs, certificates can be added by something like this on both Windows and linux

using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
    store.Open(OpenFlags.ReadWrite);
    var cert = new X509Certificate2("cert.pfx", "1234");
    store.Add(cert);
}

which can be accessed via X509Store.Certificates.Find().

But where do the files get stored and how can they be added via linux tools? e.g. a sys admin would be adding the certificates and an application will be only reading them.

score 24 · Answer 1 · edited Jun 27 '22 at 23:34

The answer of @mbican is correct. the certificates are placed at

~/.dotnet/corefx/cryptography/x509stores/

I did not believe this one line answer without context and did not understand how he got there. That's why I want to share my findings as an answer for all the future visitors running in the same problem.

Use the pfx certificate file, you do NOT have to convert it to a pem or crt or something
Store the certificate with dotnet, so that you can see where the file is placed. A little C# command line:
```
using (var store = new X509Store(StoreName.My, StoreLocation.CurrentUser, OpenFlags.ReadWrite))
{
    store.Add(new X509Certificate2(
        "./thePathToTheCert.pfx", "passwordOfTheCert", 
        X509KeyStorageFlags.PersistKeySet));
}
```
This created the folder ~/.dotnet/corefx/cryptography/x509stores/ and placed the certificate inside. ~/.dotnet/corefx/cryptography/x509stores/my/ThumbPrintOfTheCertificate.pfx

Hint: We used to use StoreLocation.LocalMachineon windows but when we run on linux there is no LocalMachine store, so we switched to StoreLocation.CurrentUser. You will get this error if you try LocalMachine: Unix LocalMachine X509Stores are read-only for all users.

Hope this helps someone.

Thank you for the hint. I'm sure it saves me some time in the future. We used the local machine store too. — Sarrus, Oct 15 '21 at 05:15

score 7 · Accepted Answer · answered Sep 28 '19 at 00:15

7

~/.dotnet/corefx/cryptography/x509stores/

answered Sep 28 '19 at 00:15

mbican

98
1
6

1

The important thing to know is that certificates are unencrypted which means it just works if you copy that directory to another server but there is also risk of leaking the private key – mbican Sep 29 '19 at 15:26
Does reading from the LocalMachine store work on linux? Or is the only possible way to retrieve certificates is to use StoreLocation.CurrentUser on linux? – Igor Aug 27 '20 at 08:27
3

@Igor I don't have it verified right now, but as far as I remember only CurrentUser is available on linux. LocalMachine doesn't work. – mbican Aug 28 '20 at 15:38

score 0 · Answer 3 · answered Jun 26 '18 at 10:30

I ran into a similar issue while updating an app to use ASP.NET Core 2.1. The SSL connection to the database no longer accepts the PFX file in the connection string (CentOS, works on Windows) so I had to add the PEM certificate file to /etc/pki/tls/certs and the PEM key file to /etc/pki/tls/private.

This stopped X509Store.Open() from throwing an exception.

.NET core X509Store on linux

3 Answers3

Linked