We instantiate X509Certificate2 as part of physical connection open involving SSL/TLS, but we only dispose these if any exception occurs. To be on the safe side, dispose the certificate only when the physical connection shuts down, just in case it's needed at some point by SslStream for renegotiation or similar.