SslCertificateTrust.CreateForX509Store(X509Store, Boolean) Method

Definition

Namespace:

System.Net.Security

Assembly:

System.Net.Security.dll

Source:

SslCertificateTrust.cs

Creates a new SslCertificateTrust.

public static System.Net.Security.SslCertificateTrust CreateForX509Store (System.Security.Cryptography.X509Certificates.X509Store store, bool sendTrustInHandshake = false);

static member CreateForX509Store : System.Security.Cryptography.X509Certificates.X509Store * bool -> System.Net.Security.SslCertificateTrust

Public Shared Function CreateForX509Store (store As X509Store, Optional sendTrustInHandshake As Boolean = false) As SslCertificateTrust

Parameters

store

X509Store

The store containing the trusted certificates.

sendTrustInHandshake

Boolean

true for the server to send a list of trusted certificate authorities during the TLS handshake; false not to send the list.

Returns

SslCertificateTrust

Represents a trust policy.

Exceptions

PlatformNotSupportedException

sendTrustInHandshake is true and the current platform does not support sending trusted issuers list in handshake, or (on Windows) the store's location is not LocalMachine.

Remarks

If the sendTrustInHandshake argument is true, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. In .NET 6, the list is only sent on Windows, and it depends on the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList" registry setting being set to 1. Since .NET 7, the list is sent on Linux and OSX platforms as well.

Warning

The list of trusted CAs increases the size of the handshake message. It could also be viewed as an information leak about the system's configuration. For these reasons, we recommend setting sendTrustInHandshake to false.