Live is streaming live. Watch now.

TLS - Client Cert

PCF apps run under a non-privileged container account they do not have access to install or access certs in the Windows Machine cert store.

To resolve this, there are few approaches:

  • The app could install certificate into Current User Store and point configuration to load cert from StoreLocation.CurrentUser. For the system to use client cert in TLS handshake private key should be stored in the Windows store - use X509KeyStorageFlags.PersistKeySet when loading the certificate.

    X509Certificate2 xcert = new X509Certificate2(cert, passw, X509KeyStorageFlags.PersistKeySet);
    X509Store store = new X509Store( StoreLocation.CurrentUser);

    To read the cert:

    X509Store store = new X509Store(StoreLocation.CurrentUser);
    var certificates = store.Certificates;
    foreach (var certificate in certificates)
        var xname = certificate.GetName(); 
            if (certificate.HasPrivateKey)
                certs.Append(" private key size:" + certificate.PrivateKey.KeySize);
        catch (Exception ex)
            certs.Append("Exception: "+ex.Message);
  • The app could dynamically load the cert from a location it has access too (from the local file system, env var, or secrets store) and inject certificate into client network connection. For example:

    client.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(certbytes, password, X509KeyStorageFlags.UserKeySet);

Sample .NET Application (WCF service) installing and reading TLS cert can be found here.


On This Page