System.Net.Security.CertificateNegotiation
Namespace: System.Net.Security
Class: CertificateNegotiation
Provides functionality for negotiating X.509 certificates between client and server endpoints. This class is typically used in scenarios requiring mutual authentication or enhanced security for network communications.
Summary
The CertificateNegotiation class abstracts the complex process of exchanging and validating X.509 certificates. It allows developers to configure and control how certificates are requested, presented, and verified during the establishment of secure network connections. This is crucial for implementing protocols like TLS/SSL where server and/or client authentication is required.
Syntax
public static class CertificateNegotiationRemarks
This is a static class and cannot be instantiated. Its members are used to define behaviors for certificate selection and validation within the .NET networking stack. When a secure connection is being established, such as with SslStream, the underlying framework may invoke logic related to certificate negotiation. Developers can influence this process by providing custom callback functions or settings.
Key Concepts:
- Client Authentication: The server requests a certificate from the client to verify its identity.
- Server Authentication: The client verifies the identity of the server using its certificate.
- Certificate Validation: The process of checking the validity, trust chain, and revocation status of a certificate.
- X.509 Certificates: Digital certificates used to establish identity and enable encryption in secure communication.
Methods
AuthenticateAsClient(string targetHost, X509CertificateCollection clientCertificates, X509Certificate2Collection acceptableIssuers, bool checkCertificateRevocation)
Authenticates a client against a remote server by using the specified target host, client certificates, acceptable issuer certificates, and revocation checking option.
Parameters:
| Parameter | Type | Description |
|---|---|---|
targetHost |
string |
The host name of the server to authenticate. |
clientCertificates |
X509CertificateCollection |
A collection of X.509 certificates to be presented to the server. Can be null. |
acceptableIssuers |
X509Certificate2Collection |
A collection of X.509 certificates that represent the acceptable issuers for the server's certificate. Can be null. |
checkCertificateRevocation |
bool |
true to check if the server's certificate has been revoked; otherwise, false. |
Returns:
bool: true if the authentication succeeded; otherwise, false.
AuthenticateAsServer(X509Certificate2 serverCertificate, bool clientCertificateRequired, X509Certificate2Collection acceptableIssuers, bool checkCertificateRevocation)
Authenticates a server against a client by using the specified server certificate, client certificate requirement, acceptable issuer certificates, and revocation checking option.
Parameters:
| Parameter | Type | Description |
|---|---|---|
serverCertificate |
X509Certificate2 |
The X.509 certificate to be presented to the client. |
clientCertificateRequired |
bool |
true to require the client to present a certificate; otherwise, false. |
acceptableIssuers |
X509Certificate2Collection |
A collection of X.509 certificates that represent the acceptable issuers for the client's certificate. Can be null. |
checkCertificateRevocation |
bool |
true to check if the client's certificate has been revoked; otherwise, false. |
Returns:
bool: true if the authentication succeeded; otherwise, false.
See Also
RemoteCertificateValidationCallback and LocalCertificateSelectionCallback properties of the SslStream class to gain fine-grained control over certificate handling.