Https Client Certification fails under IIS

Question

4.00/5 (1 vote)

See more:

Hello,

We are running a SOAP service application (wse 3 but also complying with WCF). Apart from being a service itself, the app also retrieves information from a third party using a HttpRequest instance with SSL.

When running that HttpRequest instance with a unit test, the third party service recognizes the given certificate and it works just fine.
However, when our SOAP service application is running in IIS, the third party does not recognize the certificate anymore:

" The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

What is different when an HttpClient is running under IIS? Does it change the requests I send using a HttpRequest?

How can I set this straight (configuration?)?

Thanks.

Posted 17-Mar-11 23:32pm

Carsten Schelp

Updated 18-Mar-11 0:40am

v4

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Carsten Schelp · Answer 1 · 2011-03-18T05:46:00

This article gave me an idea how to solve the problem.
Asp.net checks whether a server certificate's name "CN= ..." matches the server's domain name.

So if the external server's certificate does not comply to that rule a https request from a asp.net application will not trust the connection. So if you have no chance to change the external server's configuration (3rd party) you have to disable the check.

It can be switched off by passing a custom delegate to asp.net's (mainly) static ServicePointManager class.

I put that bit into a static constructor of my https connector-class:
(however that check will be switched off for any https connection in the whole application)

public class MyExternalSslServiceConnector : IMyExternalServiceConnector<br />
{<br />
	 protected string ServiceUrl { get; set; }<br />
	 public X509Certificate2 SslCertificate { get; set; }<br />
<br />
	 static MyExternalSslServiceConnector()<br />
	 {<br />
		  ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };<br />
	 }<br />
<br />
	 public MyExternalSslServiceConnector(string myExternalServiceUrl, X509Certificate2 sslCertificate)<br />
	 {<br />
		  this.ServiceUrl = myExternalServiceUrl;<br />
		  this.SslCertificate = sslCertificate;<br />
	 }<br />
	<br />
	 // further implementation using HttpRequest class [...]<br />
}

Kind regards, C.