Update channel-credentials.md (#24051)

* Update channel-credentials.md

Adding workaround for PEM loaded client certificates on Windows.

* Fix markdown errors

* Update channel-credentials.md

Making it clear when the workaround should be applied.

* Update docs/architecture/grpc-for-wcf-developers/channel-credentials.md

Fixing after code review.

Co-authored-by: Andy (Steve) De George <67293991+adegeo@users.noreply.github.com>

* Update docs/architecture/grpc-for-wcf-developers/channel-credentials.md

Co-authored-by: David Pine <david.pine@microsoft.com>

* Update docs/architecture/grpc-for-wcf-developers/channel-credentials.md

Co-authored-by: David Pine <david.pine@microsoft.com>

* Update docs/architecture/grpc-for-wcf-developers/channel-credentials.md

Co-authored-by: David Pine <david.pine@microsoft.com>

* Intro paras; formatting.

* Update channel-credentials.md

Co-authored-by: Andy (Steve) De George <67293991+adegeo@users.noreply.github.com>
Co-authored-by: David Pine <david.pine@microsoft.com>

Author: 3 people

docs/architecture/grpc-for-wcf-developers/channel-credentials.md

@@ -1,7 +1,7 @@
 ---
 title: Channel credentials - gRPC for WCF Developers
 description: How to implement and use gRPC channel credentials in ASP.NET Core 3.0.
-ms.date: 12/15/2020
+ms.date: 06/28/2021
 ---
 
 # Channel credentials
@@ -92,6 +92,10 @@ public class Startup
 
 With the `Grpc.Net.Client` package, you configure certificates on an <xref:System.Net.Http.HttpClient> instance that is provided to the `GrpcChannel` used for the connection.
 
+### Load a client certificate from a .PFX file
+
+A certificate can be loaded from a _.pfx_ file.
+
 ```csharp
 class Program
 {
@@ -117,6 +121,49 @@ class Program
 }
 ```
 
+### Load a client certificate from certificate and private key .PEM files
+
+A certificate can be loaded from a certificate and private key _.pem_ file.
+
+```csharp
+class Program
+{
+    static async Task Main(string[] args)
+    {
+        // Assume path to a certificate and private key .pem files are passed from command line
+        string certificatePem = File.ReadAllText(args[0]);
+        string privateKeyPem = File.ReadAllText(args[1]);
+        var cert = X509Certificate2.CreateFromPem(certificatePem, privateKeyPem);
+
+        var handler = new HttpClientHandler();
+        handler.ClientCertificates.Add(cert);
+        using HttpClient httpClient = new(handler);
+
+        var channel = GrpcChannel.ForAddress("https://localhost:5001/", new GrpcChannelOptions
+        {
+            HttpClient = httpClient
+        });
+
+        var grpc = new Greeter.GreeterClient(channel);
+        var response = await grpc.SayHelloAsync(new HelloRequest { Name = "Bob" });
+        System.Console.WriteLine(response.Message);
+    }
+}
+```
+
+> [!NOTE]
+> Due to an internal Windows bug as [documented here](https://github.com/dotnet/runtime/issues/23749#issuecomment-388231655), you'll need to apply the following a workaround if the certificate is created from certificate and private key PEM data.
+>
+> ```csharp
+> X509Certificate2 cert = X509Certificate2.CreateFromPem(certificatePem, rsaPrivateKeyPem);
+> if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+> {
+>     var originalCert = cert;
+>     cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12));
+>     originalCert.Dispose();
+> }
+> ```
+
 ## Combine ChannelCredentials and CallCredentials
 
 You can configure your server to use both certificate and token authentication. To do this, apply the certificate changes to the Kestrel server, and use the JWT bearer middleware in ASP.NET Core.