X509Certificate2.DnsSafeHost Property
Property Value
string
A string that contains the DNS name of the host.
Remarks
The DnsSafeHost property returns a DNS-safe name for the host. A DNS-safe name is a name that can be used in DNS queries. This property is useful for preventing DNS spoofing attacks.
If the certificate contains multiple Subject Alternative Name (SAN) entries, this property will return the first DNS name found in the SAN extensions. If no SAN entries are found, it will return the Common Name (CN) from the Subject field, also made DNS-safe.
The DNS-safe conversion ensures that characters that are not valid in DNS names are replaced with underscores, and that internationalized domain names (IDNs) are handled appropriately.
Important
It is crucial to use the DnsSafeHost property when comparing host names from a certificate against a target host name to ensure security and prevent potential vulnerabilities.
Example
The following example demonstrates how to retrieve and display the DnsSafeHost property of an X509Certificate2 object.
using System;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class Example
{
public static void Main()
{
// Assume 'certificate' is an initialized X509Certificate2 object
// For demonstration, we'll create a dummy certificate (this won't be valid for actual use)
try
{
// In a real scenario, you would load a certificate from a store or file.
// X509Certificate2 certificate = new X509Certificate2("path/to/your/certificate.cer");
// Or from a store:
// X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
// store.Open(OpenFlags.ReadOnly);
// X509Certificate2 certificate = store.Certificates[0];
// store.Close();
// Dummy certificate creation for illustration purposes only
byte[] certBytes = "MIID+jCCAeICCdP... (truncated for brevity)".DecodeBase64(); // Replace with actual cert bytes
X509Certificate2 certificate = new X509Certificate2(certBytes);
string dnsSafeHost = certificate.DnsSafeHost;
Console.WriteLine("DNS Safe Host: " + dnsSafeHost);
// Example of checking against a host name
string targetHost = "www.example.com";
if (string.Equals(dnsSafeHost, targetHost, StringComparison.OrdinalIgnoreCase))
{
Console.WriteLine("Certificate host name matches target host.");
}
else
{
Console.WriteLine("Certificate host name does not match target host.");
}
}
catch (Exception ex)
{
Console.WriteLine("An error occurred: " + ex.Message);
Console.WriteLine("Please replace the dummy certificate bytes with a valid certificate.");
}
}
}
// Helper extension method to decode Base64 for the dummy example
public static class StringExtensions
{
public static byte[] DecodeBase64(this string base64String)
{
// This is a placeholder. Real base64 decoding should be used.
// For a valid certificate, you would typically load it from a file or store.
// Returning an empty array to avoid runtime errors for this simulation.
return new byte[0];
}
}
Requirements
Namespace: System.Net.Security
Assembly: System.Net.Security.dll