SslCertificateTrust.CreateForX509Collection Method

Definition

Namespace:

System.Net.Security

Assembly:

System.Net.Security.dll

Source:

SslCertificateTrust.cs

Creates a new SslCertificateTrust.

public static System.Net.Security.SslCertificateTrust CreateForX509Collection (System.Security.Cryptography.X509Certificates.X509Certificate2Collection trustList, bool sendTrustInHandshake = false);

static member CreateForX509Collection : System.Security.Cryptography.X509Certificates.X509Certificate2Collection * bool -> System.Net.Security.SslCertificateTrust

Public Shared Function CreateForX509Collection (trustList As X509Certificate2Collection, Optional sendTrustInHandshake As Boolean = false) As SslCertificateTrust

Parameters

trustList

X509Certificate2Collection

The collection containing the trusted certificates.

sendTrustInHandshake

Boolean

true for the server to send a list of trusted certificate authorities during the TLS handshake; false not to send the list.

Returns

SslCertificateTrust

Represents a trust policy.

Exceptions

PlatformNotSupportedException

sendTrustInHandshake is true and the current platform does not support sending trusted issuers list in handshake.

Remarks

If the sendTrustInHandshake argument is true, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. Sending trusted issuers list is not supported for SslCertificateTrust instances created using the SslCertificaetTrust.CreateForX509Collection in .NET 6.

Since .NET 7, the sending trusted issuers list is supported on Linux and OSX platforms.

Warning

The list of trusted CAs increases the size of the handshake message. It could also be viewed as an information leak about the system's configuration. For these reasons, we recommend setting sendTrustInHandshake to false.