How to set Keys of X509Certificate2 to a custom implementation

[Danielku15]

What is by today with .net 6 the recommended way of setting a custom Public/Private Key implementation in a X509Certificate2 instance?

The problem is that most of the libraries and integrations in the market rely on .PrivateKey or .GetRSAPrivateKey() access on the certificate itself and often do not offer a way of passing on the private key separately.

Due to all the workarounds in the X509Certificate2 API (not having a raw PrivateKey property but relying on the extension methods) it got impossible now to supply a custom PublicKey and PrivateKey instances to a custom implementation. X509Certificate2 is the quasi-standard interface used for most libraries.

I want to provide custom implementations for the Public/PrivateKey to leverage cloud services like Azure KeyVault for signing.

For now I'm planning to generate in-memory a custom ICertificatePalCore implementation and set it through reflection tricky. This is of course very hacky and prone to errors.

Were there maybe in the past already discussions in this regards? Are there plans to support a .Set###PrivateKey() extension to support usecases where the cryptographic operations are not handled by the platform specific implementation?

References

• https://github.com/novotnyllc/RSAKeyVaultProvider
• https://github.com/dotnet/msbuild/blob/44ad46fed8c5f7e5800e93f61f265b2efaa8ea5e/src/Tasks/ManifestUtil/SecurityUtil.cs#L672

[bartonjs]

• SslStream (and anything built on it, like HttpClient) only works when the private key is provided by the same system that produces the certificates, so if we were to design a model to let external private keys be carried along with the certificate we'd need to figure out a way to signal that to SslStream so it could fail.
• Our certificate objects are (largely) immutable, so there'd never be a setter like this on them. At best, it'd be an overload series of CopyWithPrivateKey that didn't force a platform-compatible conversion (via export/import).
• Even in .NET Framework, where the PrivateKey property was settable, the PrivateKey property only accepted RSACryptoServiceProvider/DSACryptoServiceProvider -- the crypto components from the Windows OS.
• The GetWhateverPrivateKey methods return new instances on each call, so really they'd need something like "CopyWithPrivateKeyFactory", and that factory would need to provide a new instance every time.

Were there maybe in the past already discussions in this regards?

Slightly, but they didn't go very far: #22856.

Are there plans to support ... use cases where the cryptographic operations are not handled by the platform specific implementation?

Not at this time, no.