SslCertificateTrust.CreateForX509Store(X509Store, Boolean) Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Creates a new SslCertificateTrust.
public static System.Net.Security.SslCertificateTrust CreateForX509Store (System.Security.Cryptography.X509Certificates.X509Store store, bool sendTrustInHandshake = false);static member CreateForX509Store : System.Security.Cryptography.X509Certificates.X509Store * bool -> System.Net.Security.SslCertificateTrustPublic Shared Function CreateForX509Store (store As X509Store, Optional sendTrustInHandshake As Boolean = false) As SslCertificateTrustParameters
- store
- X509Store
The store containing the trusted certificates.
- sendTrustInHandshake
- Boolean
true for the server to send a list of trusted certificate authorities during the TLS handshake; false not to send the list.
Returns
Represents a trust policy.
Exceptions
sendTrustInHandshake is true and the current platform does not support sending trusted issuers list in handshake, or (on Windows) the store's location is not LocalMachine.
Remarks
If the sendTrustInHandshake argument is true, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. In .NET 6, the list is only sent on Windows, and it depends on the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList" registry setting being set to 1. Since .NET 7, the list is sent on Linux and OSX platforms as well.
Warning
The list of trusted CAs increases the size of the handshake message. It could also be viewed as an information leak about the system's configuration. For these reasons, we recommend setting sendTrustInHandshake to false.
