Thanks Jeff.
Taking a step back before jumping into library details, did you find any other alternatives before deciding to have your own cert store implementation? I ask because it seems odd (to me) that you and I would be the first ones to face the cross platform certificate store problem surely someone else might have solved this before. Especially in the Bouncy Castle community? Thats my (perhaps naïve) thinking. So would appreciate if you could share your learnings on this topic (and great job on the GitHub repo!) Regards, Sid From: Jeff Stedfast [mailto:[email protected]] Sent: Tuesday, November 12, 2013 11:05 AM To: Sid Shetye Cc: Bouncy Castle Developer List Subject: Re: [dev-crypto-csharp] Certificate store for cross platform designs Hi Sid, I asked this question just last week ;-) What I ended up doing is to use a pkcs12 file to store private certs/keys and a file containing unencrypted certs for everything else (like CAs and such). If you come up with a better way, I'd appreciate if you let me know. I'm working on a cross-platform (Windows, Mac, Linux, iOS, and Android) MIME library with support for S/MIME and PGP, so am really interested in a cross-platform way of managing certificates. You can find my current cross-platform certificate management logic here: https://github.com/jstedfast/MimeKit/blob/master/MimeKit/Cryptography/Defaul tSecureMimeContext.cs#L104 and here: https://github.com/jstedfast/MimeKit/blob/master/MimeKit/Cryptography/X509Ce rtificateStore.cs The first link creates 2 X509CertificateStores, one for root certificates and one for user certs (equivalent, I suppose, of StoreName.Root and StoreName.My). I should probably also have something equivalent to StoreName.AddressBook, but right now they are stored in the pkcs12 file along with the user's other personal certificates. Hope that helps, Jeff On Tue, Nov 12, 2013 at 1:42 PM, Sid Shetye <[email protected] <mailto:[email protected]> > wrote: Hi folks, Although we do use BC for some crypto stuff, we havent explored anything beyond the standard Windows cert store for certificate storage. So at present we use the Windows certificate store as: var store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly); var certs = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true); Wed like to switch to something thats more cross platform (esp Linux compatible). What are some good design patterns for a secure, cross platform certificate storage? We need to store RSA and EC certificates as well as their respective private keys (if they exist in the password protected PFX). Regards Sid
