How to AuthenticateAsServer when Certificate is in HSM and privateKey is not embeded in Certificate and PrivateKey is not extractable from HSM

Question

I want to ask a qusetion according to my code, My code is as bellow: in AuthenticateAsServer I get "The server mode SSL must use a certificate with the associated private key" error cause privatekey is not in my certificate and also privatekey is not extractable from the HSM, would you please guid me what is the solution here?

     static void ProcessClient(TcpClient client)
    {
        SslStream sslClientStream = new SslStream(client.GetStream(), true, AllowAnyServerCertificate, null, EncryptionPolicy.RequireEncryption);

        try
        {
            X509Certificate2 _HsmserverCertificate = null;

            string pkcs11LibraryPath = "C:\\Program Files (x86)\\nCipher\\nfast\\toolkits\\pkcs11\\cknfast-64.dll";

            Pkcs11InteropFactories factories = new Pkcs11InteropFactories();

            using (IPkcs11Library pkcs11Library = factories.Pkcs11LibraryFactory.LoadPkcs11Library(factories, pkcs11LibraryPath, AppType.MultiThreaded))
            {
                ISlot slot = HelpersMethods.GetUsableSlot(pkcs11Library);

                using (Net.Pkcs11Interop.HighLevelAPI.ISession session = slot.OpenSession(SessionType.ReadWrite))
                {
                    session.Login(CKU.CKU_USER, @"1234");

                    var certificate = ReadCertificates(slot, session)[0];

                    _HsmserverCertificate = new X509Certificate2(certificate.CkaValue);
                    
                    session.Logout();
                }
            }

            sslClientStream.ReadTimeout = glb_intReciveTimeOut;
            sslClientStream.WriteTimeout = glb_intSendTimeOut;

            sslClientStream.AuthenticateAsServer(_HsmserverCertificate,
                                                 clientCertificateRequired: false,
                                                 SslProtocols.Tls12,
                                                 checkCertificateRevocation: true);
    }
}

You are NOT supposed to get the private key out of the HSM, that would completely defeat the purpose of using one in the first place. It's the HSM that is supposed to perform the operations requiring the private key. So I'd recommend to consult the documentation of your particular HSM (or provide the brand / model ?) — Irwene, Oct 25 '22 at 14:16
The server must use same certificate. Do you have server code? What certificate is being used? — jdweng, Oct 25 '22 at 14:18

score 1 · Accepted Answer · answered Oct 26 '22 at 05:40

Unwritten rule in .NET world: If you want to use an instance X509Certificate2 class in SSL connection then you cannot create it manually but you need to acquire it from X509Store.

X509Store class provides access to all certificates propagated into windows certificate store. Take a look at your device documentation for more details on how to propagate your device certificates into windows certificate store. Sometimes it is also referred to as CAPI, CSP, CNG, KSP etc. If you are unfamiliar with those terms then your best bet is to contact device vendor support.

This approach is not only .NET compatible. If you are using plain CAPI it is also works. — Alexander, Oct 28 '22 at 07:15

How to AuthenticateAsServer when Certificate is in HSM and privateKey is not embeded in Certificate and PrivateKey is not extractable from HSM

1 Answers1

Linked