Use Microsoft CNG library to load key from KSP and use it to initiate two-way-ssl mutual authentication

Question

I have to connect to a backend service that is secured using two way ssl. The certificate I use for this handshake resides in an HSM. I've installed the HSM providers KSP software.
I'm using Microsoft's CNG library to lookup certificate generated in an HSM using the code below(C#) .

            CngKeyCreationParameters cng = new CngKeyCreationParameters
            {
                KeyUsage = CngKeyUsages.AllUsages,
                Provider = new CngProvider("My Crypto Key Storage Provider"),
                KeyCreationOptions = CngKeyCreationOptions.MachineKey
            };

            CngKey cngKey = CngKey.Open("My Key Container");
            RSACng rsaKey = new RSACng(cngKey);

How do I use this CngKey/RSACng object to start the mutual authentication request?

var request = (HttpWebRequest)WebRequest.Create("https://host/mutual-auth-endpoint");
//request.ClientCertificates.Add(...); .//This requires a X509Certificate2 object

The above two lines of code require an X509Certificate2 object. How do I go from CngKey/RSACng object to an X509Certificate2 object.
Or is there a totally different approach using the CNG library ?

Answer 1

If you want to get an X509Certificate2 with RSACng, try this:

    CngKeyCreationParameters cng = new CngKeyCreationParameters  
    {  
        KeyUsage = CngKeyUsages.AllUsages,  
        Provider = new CngProvider("My Crypto Key Storage Provider"),  
        KeyCreationOptions = CngKeyCreationOptions.MachineKey  
    };  
    CngKey cngKey = CngKey.Open("My Key Container");  
    RSACng rsaKey = new RSACng(cngKey);  
  
    X509Certificate2 cert = new X509Certificate2();  
    var certWithKey = cert.CopyWithPrivateKey(rsaKey);  

---

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.