Good news! It is now possible, using the Mono 2.0 profile, to use X.509 client certificates with
Why such a restriction ? Because the original API was badly designed. It only accept
X509Certificate and provided no way to supply the private key associated
with the (public key of the) certificate.
Then how could this work on MS runtime ? Because certificates could be part of a certificate store (even if the store weren't exposed before fx 2.0). In this case CryptoAPI could have a link between the certificate store and the key store (if both were available simultaneously when imported). But it could fail too ;-)
What changed in 2.0 ? A new, more complete, class
X509Certificate2 is available.
This new class supports loading formats that includes private keys, e.g. PKCS#12 files - which means the private
key, if available, can be used for the signing operation required by client certificates in SSL/TLS.
Also the class inherits from the older
X509Certificate, making it usable for
So everything is fine now ? No, this still works only for 2.0 if you load a certificate with a private key. I.e. it won't work if you depend on CryptoAPI magic associations. Still this allows some new scenarios to work, including (but not tested) accessing web services with client certificates.
The wiki page, UsingClientCertificatesWithXSP, has been updated with sample code. Have fun!
Shawn Farkas has a great introduction to the new Silverlight Security Model. Shawn has long been the best voice to explain all the security stuff built into the newer .NET framework releases. I'm glad he'll continue with Silverlight!
The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.