Geeks With Blogs

News Awarded Microsoft MVP C#.NET - 2007, 2008 and 2009

I am born in Bangladesh and currently live in Melbourne, Australia. I am a Microsoft Certified Application Developer MCAD Chartered Member (C# .Net)and born in Bangladesh.
I am founder and Chief Executive Officer of
Simplexhub, a highly experienced software development company based in Melbourne Australia and Dhaka, Bangladesh. Co-founder and core developer of Pageflakes
Simplexhub, is on its mission to build a smart virtual community in Bangladesh and recently launched beta an ASP.NET MVC application written in C#.NET.

Some of My Articles
Flexible and Plugin based .Net Application..
Mass Emailing Functionality with C#, .NET 2.0, and Microsoft® SQL Server 2005 Service Broker'
Write your own Code Generator or Template Engine in .NET
Shahed Khan blog

In Scenario1 I blogged how to get Certificate using the X509Store Class. Where I used something like this.

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

But after spending a bit of time with the X509Store I realized it has limitations. The StoreLoacation enum has only 2 options:

  • CurrentUser: The X.509 certificate store used by the current user.
  • LocalMachine: The X.509 certificate store assigned to the local machine. 

But I wanted to Load Certificate from a Remote LDAP Server...

I googled a bit but did not find any solutions to use the X509Store to Load Certificates from a remote machine. Then I used System.DirectoryServices namespace, SearchResult Class and DirectorySearcher Class to do the same. All I had to do is to use the DirectorySearcher and define SearchScope and create a Filter to find the desired Certificate from the remote machine. Then I imported the Certificate into X509Certificate2 using the handy Import Method. And the code looks like this.

public byte[] GetRecipientCertificateFromLDAPStore()
SearchResultCollection col;
DirectorySearcher searcher = new DirectorySearcher();
string[] resultsFields = new string[] { "cn", "mail", "usercertificate;binary" };
//Pass the IPAddress and the Port of the LDAP Server.
string[] textArray1 = new string[] { "LDAP://", "", ":", "180", "/c=blabla" };
searcher.SearchRoot = new DirectoryEntry(string.Concat(textArray1), null, null, AuthenticationTypes.None);
searcher.SearchScope = SearchScope.Subtree;
searcher.Filter =string.Format("(&(cn={0})(mail={1}))", "* *", emailAddress);
col = searcher2.FindAll();

X509Certificate2 certificate1 = new X509Certificate2();
foreach (SearchResult result1 in col)
  IEnumerator enumerator2;
    enumerator2 = result1.GetDirectoryEntry().Properties["usercertificate;binary"].GetEnumerator();
    while (enumerator2.MoveNext())
      object obj1 = RuntimeHelpers.GetObjectValue(enumerator2.Current);
      //Can access different Properties for example:
      return certificate1.Export(X509ContentType.Cert);



return null;


I have seen approaches where CAPICOM has been used to import certificates from remote machine. But that creates dependency on COM. I wanted to stick to Managed code and to use the new X509Certificate2 that ships with .Net Framework 2.0.

(Please Note: If anyone know a different better approach please let me know.)

Posted on Sunday, March 11, 2007 9:50 AM | Back to top

Comments on this post: Get X509Certificate2 from a LDAP Server or Remote Machine

# re: Get X509Certificate2 from a LDAP Server or Remote Machine
Requesting Gravatar...
Hi, i am facing a similar problem. i am writing my diploma thesis about secure communication and authentication and i want to get a certificate out of the store from a client machine.

at the moment i am thinking about an using x509store and x509certificate2 in the code-behind files but i get the error that the session is not active...whatever that means ;-)

the second way would be to write a client-application in order to access the client´s certificate store and to transmit the data to a server-app.

what would you suggest me to do?
Left by Florian Bröder on Sep 25, 2007 7:12 PM

# re: Get X509Certificate2 from a LDAP Server or Remote Machine
Requesting Gravatar...
You saved my life, showing me right way to get user cert from AD. I couldn't find it.

It works fine:

X509Certificate2 cert = new X509Certificate2();
object objCert = searchResults.GetDirectoryEntry().Properties["usercertificate"].Value;

--.Net Framework 3.5

Left by Maciek on Mar 26, 2008 9:45 AM

# re: Get X509Certificate2 from a LDAP Server or Remote Machine
Requesting Gravatar...
I have a question.
How can I validate certificate against CRL from AD?


X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;

X509ChainStatus[] statusTab = chain.ChainStatus;

if (statusTab.Length == 0)
//it's OK

I think it's good, but I have worse problem. AD doesn't refresh CRL list and revoked certificate is still valid in AD...any idea?
Left by Maciek on Mar 31, 2008 7:01 AM

Your comment:
 (will show your gravatar)

Copyright © Shahed Khan | Powered by: