x509certificate - Certificates being renewed yearly - how to reliably find them in the cert store? -

i've been tasked add security means of certificates external web service call our asp.net 4.0 webforms application.

i've been able play around certificate , code work properly, there still lot of questions unanswered when comes deployment of solution. i'm pretty new using (and dealing with) certificates - understand basic theory behind them, never used them myself.

the service external rest webservice provided company issues certificates - , expire on yearly basis , need renewed yearly. "baking" them asp.net app internal resource doesn't seem idea.

i'm leaning towards putting them certificate store on windows 2008 server. works fine, i'm not sure about: how find appropriate certificate code? know x509certificate2 , x509store classes - criteria should search for?

what item (serial number? thumbprint?) remain same if cert has renewed every year? or have update config , store new serial number or thumbprint every time cert has been renewed?

if understand correctly need ensure communicating correct web service.

you using https connect rest service. wcf service or web api? either way web server handle ssl part (hmm, if hosted on web server , not self hosted). if make easy web service hosted on web server. web server handle establishing ssl connection , send server certificate.

then need check if communicating correct web server. options are:

1. manually update config file thumbprint change every time certificate of web server renewed. serial number change when renew certificate.
2. check common name in subject or better if correct dns name (of web server) in subject alternative name (san = extension in certificate) or in cn (when san not in certificate)
3. build certificate chain (using x509chain.build method) web server's certificate , check if contains ca certificate have embedded in asp.net application or if matches given thumbprint of ca config.

1) - work have ensure update config file every year

2) - work nice until change dns name of web server, result in change of web.config ... work. 1 thing note extracting extension x509certificate2 class using standard .net framework not easy. need either go asn.1 level or use crypto library can extract san in friendly way.

3) - work nicely. can use root ca certificate or dedicated intermediate ca certificate. have ensure web server certificate trusted certificate chain built applies solutions. work pretty long time because ca certificates issued i.e. 20-30 years.