Friday, August 1, 2008

The remote certificate is invalid according to the validation procedure

I'm calling an ASP.NET web service from an ASP.NET web application. The two applications are on different servers. The web service requires SSL and presents the application with a self-signed certificate. Since this is an internal app, I want the client application to trust the web service and its self-signed cert.

There are lots of suggestions on how to do this in your code by coding a delegate method to accept all server certificates regardless of origin:

ServicePointManager.ServerCertificateValidationCallback =
delegate(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; };
I don't want to do this, though, because this same code will be rolled out to production and it seems sloppy to me to allow all certificates to validate carte blanche.

So, I set out to download the internal SSL certificate and install it in the client computer's Trusted Root Certification Authorities cache. That still doesn't work!

Thanks to Ferry Onderwater's entry at http://www.arcencus.nl/Blogs/tabid/105/EntryID/39/Default.aspx, I see now where I went astray. By default, the Certificate snap-in installs certificates for the current user only. I needed all users to trust the certificate.

Solution:
  • Start a new MMC.
  • File --> Add/Remove Snap-In...
  • Click Add...
  • Choose Certificates and click Add.
  • Check the "Computer Account" radio button. Click Next.
  • Choose the client computer in the next screen. Click Finish.
  • Click Close.
  • Click OK.
  • NOW install the certificate into the Trusted Root Certification Authorities certificate store. This will allow all users to trust the certificate.