38

I've been googling around for half a day looking for a way to read a .pfx file and import the certificates into the certstore.

So far, I am able to read the .pfx file with X509Certifcate and able to import one certificate within the .pfx file. So far so good, but there are three certificates in the .pfx file and when loading the .pfx with X509Certificate, I am not able to see the other two certificates.

The certificate was exported with

*Personal Information Exchange - PKCS #12 (.PFX)

  • Include all certificates in the certification path if possible

  • Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)

Those are the options selected when exporting the certificate(s). I know there are three certificates because I manually go into the certstore (MMC) and import it into a personal folder myself.

Draken
  • 3,134
  • 13
  • 34
  • 54
Chloé
  • 438
  • 1
  • 4
  • 6

1 Answers1

67

You should be able to get a collection object containing the certs in your .pfx file by using the X509Certificate2Collection class... here's some C# example code:

string certPath = <YOUR PFX FILE PATH>;
string certPass = <YOUR PASSWORD>;

// Create a collection object and populate it using the PFX file
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Import(certPath, certPass, X509KeyStorageFlags.PersistKeySet);

Then you can iterate over the collection:

foreach (X509Certificate2 cert in collection)
{
    Console.WriteLine("Subject is: '{0}'", cert.Subject);
    Console.WriteLine("Issuer is:  '{0}'", cert.Issuer);

    // Import the certificates into X509Store objects
}

Depending on the type of certificate (client cert, intermediate CA cert, root CA) you'll need to open the proper cert store (as an X509Store object) to import it.

Check out the X509Store docs:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509store.aspx

And the different members in the StoreName enumeration:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.storename.aspx

From what I understand, you want to use StoreName.My for client certificates that contain a private key, StoreName.CertificateAuthority for intermediate CA certs, and StoreName.Root for root CA certs.

Luiso
  • 4,173
  • 2
  • 37
  • 60
Bill Agee
  • 3,606
  • 20
  • 17
  • Bill, great! I'm seeing all three in the collection. I need to import each one of them in the right store in the Local Computer. StoreName.My, StoreName.Root and StoreName CertificateAuthoriy, just as you mention above. I am able import it into any of the three stores. my next question is, what does the private key do in the pfx file? do i need to do anything with it? i'm new to this stuff. thank you again. – Chloé Feb 18 '11 at 15:52
  • As far as I know, once a personal certificate with a private key is imported to the My store from a .pfx file, the private key should be ready to use, with no further action needed...for example, client cert authentication with that certificate should work in IE. – Bill Agee Feb 19 '11 at 07:25
  • When importing certs for things like mail encryption, etc, you may need them in the CurrentUser stores, but if you import a Root CA cert to CurrentUser, it will pop up a dialog asking "Are you sure you want to trust this?". The way around this, aparently, is to put the Root CA in the LocalMachine store instead. No popup, and the ICA cert will still work with it. – CodeWarrior Sep 21 '11 at 14:29
  • When iterating the certs in the .pfx file by using the X509Certificate2Collection, how do we know which of them is the client cert, which the intermediate CA cert (if any), and which the root CA? Is there a property containing the certificate type? – RickyTad Dec 19 '22 at 00:11