+2 votes

I need read my auth certificate on my CPS Card to establish StartTLS channel with the server

Connection to the service from a client
using standard email protocols (SMTP + StartTLS, IMAP + StartTLS) is
provided by the establishing a TLS channel with mutual authentication
between the email client and the server of the operator.

Mail client side, the establishment of the TLS channel requires the
use of the CPS card. The SMTP and IMAP + StartTLS.

StartTLS help ensure identification and client and server mutual
authentication and to ensure confidentiality of exchanges.

by

1 Answer

0 votes
 
Best answer

First make sure if they are using explict SSL/TLS or implicit SSL/TLS.

Implicit – where Mail.dll client immediately connects using secure channel,
Explicit – where Mail.dll client connects on unsecured channel first and then secures the communication by issuing STARTTLS command. This mode is sometimes called TLS.

You can find more details on SSL/TLS/STARTTLS or STLS here:

https://www.limilabs.com/blog/use-ssl-with-imap

https://www.limilabs.com/blog/ssl-vs-tls-vs-starttls-stls

All clients have SSLConfiguration property. It can be used to specify client certificates (SSLConfiguration.ClientCertificates property)
(It can also be used to perform custom server certificate validation: ValidateServerCertificate event)

Implicit SSL/TLS:

X509Certificate2 certificate = ...;

using (Imap imap = new Imap())
{
    imap.SSLConfiguration.ClientCertificates.Add(certificate);

    imap.ConnectSSL("imap.example.com");

    imap.UseBestLogin("user", "pass");

    // ...

    imap.Close();
}

Explicit SSL/TLS (aka STARTTLS for IMAP and SMTP protocols or STLS for POP3):

X509Certificate2 certificate = ...;

using (Imap imap = new Imap())
{
    imap.SSLConfiguration.ClientCertificates.Add(certificate);

    imap.Connect("imap.example.com");
    imap.StartTLS();

    imap.UseBestLogin("user", "pass");

    // ...

    imap.Close();
}

To read certificate from smart card you should be using local certificate store e.g.:

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
X509Certificate2Collection collection = store.Certificates;
// iterate through collection to find the certificate you need.

to read certifiate from disk you just need to use appropriate certificate constructor:

X509Certificate2 certificate = new X509Certificate2("c:\\cert.pfx");
by (301k points)
...