1

I am creating a self-hosted owin server inside a windows service. I have implemented an ACME client to get a certificate from Let's Encrypt (to a domain given by the service's config.). However, if the service is run on a server which already has a certificate I do not need to request a new one. How can I determine, in code, if there is a certificate installed which applies for the domain set in the service's config?

The closest thing to a solution I found was to ignore existing certificates (if any) and always request a new one. Then when a certificate is received from Let's Encrypt, I save that certificate's serial to a file. On startup I then use the saved file (if any) to look for the existing certificate from the store:

public async Task<bool> NeedNewCertificate()
{
    string certSerial = await AsyncFileHandler.ReadFileAsync(CERT_SERIAL_FILENAME);

        using (var store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
        {
            store.Open(OpenFlags.ReadOnly);
            var certCollection = store.Certificates.Find(X509FindType.FindBySerialNumber, certSerial, true);
            foreach (var cert in certCollection)
            {
                if (cert.NotBefore <= DateTime.Now && cert.NotAfter > DateTime.Now.AddDays(30)) // Let's Encrypt certificates are valid 90 days. They recommend renewing certificates every 30 days.
                    return false;
            }
        }
    return true;
}
Joakim M. H.
  • 359
  • 4
  • 12
  • Why don't you look at all the certificates using store.Certificates and see which one you have to help you debug the code. Doing it asynchronously may be giving you issues. – jdweng Aug 23 '18 at 12:39
  • That's kinda what I'm asking here. How can I determine if any of the certificates in store.Certificates is valid for my domain? – Joakim M. H. Aug 23 '18 at 13:06
  • Try the following : string issuer = cert.Issuer; AsnEncodedData subject = cert.SubjectName; – jdweng Aug 23 '18 at 14:04

1 Answers1

1

That's a good enough way of doing it I think.

Alternatively you can do a search in the certificate store that matches the parameters that you specify: the domain that the certificate is applied to, expiry date, etc. If you find the one that is valid, then you can use it.

That is in fact most likely the definition for what you mean by "certificate is installed on the server".

The attribute you probably would like to check is "Subject", e.g. you wold like these that have "CN = mydomain.com". You can have wildcard certificates as well, so you will need to figure out what types of certificates can be installed.

Ilya Chernomordik
  • 23,987
  • 20
  • 99
  • 170