These files exist for a reason, and there are files in these folders that cannot, under any circumstances be deleted. class ProgramĬert = new X509Certificate2("C:\dev\mycert.pfx", "mypassword") Ĭatch(Exception ex) It’s too late, my disk is already filled with these filesĭepending on your situation, this can be quite serious. To dispose of it indirectly, use a language construct such as using (in C#) . To dispose of the type directly, call its Dispose method in a try/ catch block. When you have finished using the type, you should dispose of it either directly or indirectly. NET Framework 4.6, this type implements the IDisposable interface. Unfortunately the Dispose functionality for a X509Certificate2 was not added before. If you really MUST load the certificate from disk, you must be absolutely certain that you use the Reset or Dispose function, to remove the file. X509FindType.FindByThumbprint, certThumbPrint, false) X509Certificate2Collection signingCertificates = certCollection.Find( Find the certificate that matches the thumbprint. X509Certificate2Collection currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false) X509Certificate2Collection certCollection = store.Certificates
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine) Loading from the Certificate Store private static X509Certificate2 FindCertificateByThumprint(string certThumbPrint)
But Windows already has a great solution for storing and retrieving certificates securely, and without wasting disk space, namely the Certificate Store. This is also why the X509Certificate2 constructor creates this new file and encrypts the content. What is the right way to get a X509Certificate2 then?Ĭertificates are precious things, and they should be well protected. And this had happened through the last 5 years or so. This meant that every single request that came in, got its own certificate file in this folder. pfx certificate would be newed up, used to handle the SSL connection, and then never disposed of.
I had a customer come to me, asking why their storage on one of their servers were constantly growing, but when they used tools like WinDirStat and similar tools for scanning files on disk, they could not see where the storage was being used.Īfter some analysis of their server, I found that their Local Service private was enormous, storing ~ 20 million files of 4 kb, taking up 76 GB! They had built some server software that would take in SSL connections, and every time a connection was made, the. %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\SystemKeys %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\MachineKeysĬNG stores private keys in the following directories. %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\S-1-5-20\ %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-20\ %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\S-1-5-19\ %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-19\ %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\DSS\S-1-5-18\ %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\S-1-5-18\ The Microsoft legacy CryptoAPI CSPs store private keys in the following directories: Key type
pfx file, a new storage file of 3-4kb will be created in one of the following places depending on what user account/context the code is run from, and optionally the X509KeyStorageFlags, that you can set in one of the constructors as well. When you instantiate a X509Certificate2 from disk, say from a. If you load in a new X509Certificate2 from a file by calling the public X509Certificate2 (string fileName, SecureString password) constructor, or similar constructor then you will without knowing it, create a brand new file on your disk, and this will happen every time you new it up. Doing this wrong can mean you flood your disk with one-time use files, that are never removed. NET – X509Certificate2, and if you do, you must be aware of these gotchas. You should never instantiate a X509Certificate2 with the “new” keyword if you can avoid it, it is one of the most dangerous constructors in.