Clearly recognize a certificate in Windows certificate store

Question

I'm developing a library which generates XML data and signates the generated XML. I've installed a pkcs12 certificate (generated with OpenSSL from pem file) into the windows certificate store.

I'm loading the certificate from C# code with

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = null;

foreach (var item in store.Certificates)
{
    if (item.SubjectName.Name.Contains("CN=IDENTIFIER"))
    {
        cert = item;
        break;
    }
}
store.Close();

In my case the CN identifier is: my prename + surname. The cert comes from a third party. So I think I have no influence on the identifiers.

And here comes the question:

Is there any way to identify exactly this certificate from C#. In future it could be possible, that multiple certificates have the same X509 parameters (CN etc etc).

Thank you in advance.

Answer 1

Yes, it's possible that CN contains the same identifier (eg. when the certificate is issued for business entity).

Certificates are usually distinguished by one of following combinations: 1) Issuer name (not CN, but RDN, complete name record with multiple fields) + certificate serial number (it's unique within one CA) 2) Issuer name + certificate hash

If you don't know the issuer name before searching for the certificate, you can present the list of found certificates to the user and once he select one of certificates, store certificate hash for future reference.

On smaller systems (end-user's computer) the number of certificates in MY store is usually small and the chance of hash collision is minimal. On large systems the chance is higher and that's why Issuer name is used as well.