CertificateManager Class

Certificate manager class allows application developers to configure and make use of the library's client/server certificate trust validation logic. It allows specification of a client identity certificate, configure a private trust store and perform certificate trust validation of all the connections, the application is making on its own.

Inheritance Hierarchy

SystemObject
Avaya.ClientServicesCertificateManager

Namespace: Avaya.ClientServices
Assembly: AvayaClientServices (in AvayaClientServices.dll) Version: 493.0.70.0

Syntax

Copy

public class CertificateManager

The CertificateManager type exposes the following members.

Properties

	Name	Description
	ClientIdentityCertificateChain	Returns certificate chain of currently used client identity.
	ClientIdentityPrivateKey	Returns private key of currently used client identity.

Top

Methods

	Name	Description
	DeleteCertificateStore	Deletes an existing private trust store.
	DeleteClientIdentityCertificateChain	Deletes a provisioned client identity certificate and a private key.
	Enroll	Request client identity certificate enrollment.
	GetCertificates	Returns information about the certificates stored in the private trust store.
	GetClientIdentityCertificate	Returns a provisioned client identity certificate.
	IsCertificateStoreInUse	Returns the private trust store status.
	SetCertificates	Creates the private trust store using supplied trusted anchors (Root and Intermediate CA certificates).
	SetClientIdentityCertificate	Set the client certificate from Windows Personal Certificate store to be used during mutual authentication.
	SetClientIdentityCertificateChain	Securely stores a client identity certificate and a private key to use during mutual authentication.
	ValidateCertificates(ListX509Certificate2, CertificateManagerCertificateValidatorCompletionHandler)	Performs a trust validation of a certificate chain to determine if the secure connection with the peer can be trusted.
	ValidateCertificates(ListX509Certificate2, String, String, Int32, CertificateManagerCertificateValidatorCompletionHandler)	Performs a trust validation of a certificate chain to determine if the secure connection with the peer can be trusted.

Top

Events

	Name	Description
	CertificateExpiryNotification	Notifies the application about the client certificate's expiration status by specifying number of days before expiry calculated as per the configured security policy specified via CertificateRenewalValue.

Top

Remarks

The developers can use the SetCertificates() method to create a private trust store. A private trust store is an application managed certificate store that contains the Root and Intermediate CA certificates (known as "trusted anchors") trusted by an application.The private trust store is used to validate the server / client certificate chain for all the secure connections made by an application.

The private trust store has following advantages over the conventional system certificate stores provided by the operating system -

The private trust store offers a sandbox certificate store exclusively used and managed by an application.
The trusted anchors (certificates) in the private trust store are not shared with trusted anchors from system certificate store.
Application administrators choose to distribute only necessary trusted CA certificates in a controlled way, without worrying for any rogue CA certificate being added to the private trust store.
Application can create and delete the private trust store without affecting the system certificate stores and thus affecting other connection-oriented applications.

The private trust store allows application to be more secure. For example, consider a scenario where a CA inadvertently had issued certificates and revoked those later on.CA publishes the certificate status information so that application may choose to query and proceed.However, revocation status check process has its own challenges making it unsuitable, causing the rogue servers to be trusted by the applications.Such cases can be easily managed by using the private trust store.Application administrator may simply remove the corresponding CA certificate that had issued invalid certificates such that insecure connections cannot be established with the server.

This class allows the application to store a client identity certificate which can be used to pass on to the server upon server's request during TLS Mutual Authentication. A client identity certificate is trust validated by the server and untrusted certificate will be rejected by the server by issuing SSL Alert and severing the connection.

The client applications can register a certificate status listener to get notified when client identity certificate is about to expire.This notification serves as a reminder for an user to begin requesting a renewed certificate for this application.This notification period can be configured using SecurityPolicyConfiguration.

Applications that have been using default certificate trust validation logic, can now delegate the trust validation request to this class.The certificate validation methods offered by this class allows the use of the private trust store or system trust store.Also, certain behavior of these methods can be pre-configured based on the application deployment scenarios via SecurityPolicyConfiguration

Reference

Avaya.ClientServices Namespace