Friday, August 1, 2008

The remote certificate is invalid according to the validation procedure

I'm calling an ASP.NET web service from an ASP.NET web application. The two applications are on different servers. The web service requires SSL and presents the application with a self-signed certificate. Since this is an internal app, I want the client application to trust the web service and its self-signed cert.

There are lots of suggestions on how to do this in your code by coding a delegate method to accept all server certificates regardless of origin:

ServicePointManager.ServerCertificateValidationCallback =
delegate(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; };
I don't want to do this, though, because this same code will be rolled out to production and it seems sloppy to me to allow all certificates to validate carte blanche.

So, I set out to download the internal SSL certificate and install it in the client computer's Trusted Root Certification Authorities cache. That still doesn't work!

Thanks to Ferry Onderwater's entry at http://www.arcencus.nl/Blogs/tabid/105/EntryID/39/Default.aspx, I see now where I went astray. By default, the Certificate snap-in installs certificates for the current user only. I needed all users to trust the certificate.

Solution:
  • Start a new MMC.
  • File --> Add/Remove Snap-In...
  • Click Add...
  • Choose Certificates and click Add.
  • Check the "Computer Account" radio button. Click Next.
  • Choose the client computer in the next screen. Click Finish.
  • Click Close.
  • Click OK.
  • NOW install the certificate into the Trusted Root Certification Authorities certificate store. This will allow all users to trust the certificate.

10 comments:

Anonymous said...

Hi,
thank you. This saved my day.

I had this error message on our SharePoint Server 2007 on the Indexing Server

Best regards
Patrick Lamber
-------------------------------------
http://patricklamber.blogspot.com (SharePoint, ASP.NET, PowerShell)

Joao Vieira said...

Thanks!

wasim said...

I am still facing issue with the same even tough I have my self signed certificate available in localcomputer and local user but still getting the same error.. ANy resolution?

Unknown said...

Cheers Awesome

killercam said...
This comment has been removed by the author.
Unknown said...

Hello,

The mail client i'm using was not working with SSL/TLS in system account.
This article solved my problem.

Thanks a lot.

oswaldo said...

Thansk man.

Now it's work fine.

otro13 said...

For those who still experience problems:
in my case I used certificate for local web site.
to solve validation issue it was required to create mapping in "C:\System32\drivers\etc\host" for localhost (127.0.0.1).
Then use certificate name in web url: instead of https://localhost:413/.... use https://CertificateName:413/....

TristanV said...

Thanks Dave, that worked for me !

weian said...

Thanks