Aha! I had seen many samples of getting a digital certificate out of the client machines certificate store, but all of the examples were sending in some pre-defined private key.
Let me back up. When you get a digital certificate and install it on your machine, it has a private key associated with it. So when you are using WSE2’s FindCertificateByKeyIdentifier method, you pass in that key and it gives you back the certificate so you can sign whatever it is you want to sign.
In all of the examples I was looking at, the key was “predetermined“. For example in one article it passed in a variable and said “by the way, this private key is stored in the app.config”, or “previously stored private key” pr in the example of the hands on labs, you just manually pasted the key into your code after copying it from the WSE Certificate Tool (a UI that comes with WSE so you can easily work with your X509 certs). But I could never figure out how the key was being retrieved dynamically.
What was bugging me was this: if you have a client application and an end user installs it on their machine, what is the end-user experience when dealing with the key? How is that pre-determined key being discovered?
Now I see that basically you need to get the user to tell you which of their digital signatures they want to use when using this client to access your web service. D’uh, that’s not so bad. So either you have some setup routine where the user can choose the signature and then store the key in a settings file or just have them choose the key dynamically during the application execution. There are of course different scenarios where you would want one method over the other. There is a Quickstart sample (AsymmetricEncryptionCode) that demonstrates how to popup a dialog box and have the user choose from the correct signatures included with the WSE2 install.
There are other methods for getting a digital signature besides by the private key. Again, based on what you are trying to accomplish, you would choose what method to use. But this was the most common scenario in the samples I have looked at so far.
(I’m very open to corrections if I have stated anything incorrectly here. And James, just because I’m a little thick, doesn’t mean this stuff is *so* hard that we should all switch to smalltalk :-))
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!
I am trying to use Microsoft.Web.Services.Security.X509.FindCertificateByKeyIdentifier to load certificates. Its working for one key but not for the other. Can you please guide me to find out the problem.whileusing FCLX509 = System.Security.Cryptography.X509Certificates;FCLX509.X509Store store = new System.Security.Cryptography.X509Certificates.X509Store(FCLX509.StoreName.My)loads the certificates for this authority key as well, along with other authority keys.
Hi DuFFeR,I haven’t been trouble shooting these types of problems for a number of years and don’t have any good guidance for you. I’d recommend trying to the MSDN Forums to either read previous Q&As or ask the question. This looks like the likely candidate. social.msdn.microsoft.com/…/threadsSorry I couldn’t be more helpful.julie