Using certificates for the managed .NET client

For client certificates, the IBM® MQ managed .NET client accesses the Windows or the Linux® keystore and loads all of the client's certificates that are matched either by certificate label or matched by the string.

When selecting a certificate to use, the IBM MQ managed .NET client always uses the first matching certificate for the SSLStream TLS handshake.

Note: From IBM MQ 9.4.4, you can use custom path to the keystore on the file system where you create and keep the TLS certificates. Using this custom path, the certificates can be retrieved and used for the TLS handshake when the application runs. You can also securely encrypt the password for the TLS certificate before passing it to the .NET client application. For more information, see Custom path for certificates in .NET for TLS connectivity using plain text or encrypted passwords.

Matching certificates by certificate label

If you set the certificate label, the IBM MQ managed .NET client searches the Windows or the Linux certificate store with the given label name to identify the client certificate. It loads all matching certificates and uses the first certificate on the list. There are two options for setting the certificate label:

The certificate label can set on the MQEnvironment class accessing MQEnvironment.CertificateLabel.
The certificate label can also be set in a hash table properties, supplied as input parameter with MQQueueManager constructor as shown in the following example.
```
Hashtable properties = new Hashtable();
properties.Add("CertificateLabel", "mycert");
```
The name("CertificateLabel") and the value are case sensitive.

Matching certificates by string

If certificate label is not set, then the certificate that matches the string "ibmwebspheremq" and the current logged on user (in lowercase) is searched for and used.