Thomas,
I
have found the problem, I have a workaround, but not a real solution
:-(.
The
problem is that the .NET client somehow does not trust the root certificate
that is sent from the Axis server (status code 0x800B0109) - even though I
have installed it using IE and IE trusts it!
The
work around is to override the default CertificatePolicy with my
own which blindly trusts any certificate.
using System;
using System.Net;
using
System.Security.Cryptography.X509Certificates;
namespace DonutStore
{
public enum
CertificateProblem : long {
CertEXPIRED
= 0x800B0101,
CertVALIDITYPERIODNESTING =
0x800B0102,
CertROLE
= 0x800B0103,
CertPATHLENCONST
= 0x800B0104,
CertCRITICAL
= 0x800B0105,
CertPURPOSE
= 0x800B0106,
CertISSUERCHAINING
= 0x800B0107,
CertMALFORMED
= 0x800B0108,
CertUNTRUSTEDROOT
= 0x800B0109,
CertCHAINING
= 0x800B010A,
CertREVOKED
= 0x800B010C,
CertUNTRUSTEDTESTROOT =
0x800B010D,
CertREVOCATION_FAILURE =
0x800B010E,
CertCN_NO_MATCH
= 0x800B010F,
CertWRONG_USAGE
= 0x800B0110,
CertUNTRUSTEDCA
= 0x800B0112
}
public class MyCertificateValidation :
ICertificatePolicy {
public bool
CheckValidationResult(ServicePoint servicePoint, X509Certificate certificate,
WebRequest request, int problem)
{
return
true;
}
}
}
Now
to override the default CertificatePolicy do this:
ServicePointManager.CertificatePolicy = new
MyCertificateValidation();
If
you have any thoughts as to why .NET does not trust my root certificate,
please let me know.
Thanks.
Naresh
The IE certificate database is actually not IE specific. It is shared
with any other Microsoft application, including .NET ones. So it should
work.
Here is an extract of a readme file from a sample I wrote some times
ago:
If HTTPS is enabled (see How
do I make HTTPS work?), you can run the secure version of the .NET
application. In order to do that, you need to install the server certificate
so the HTTPS handshake can be successful. With the Axis Java client, the
server certificate was imported in a keystore used by the client program.
For a .NET application, you need to install this certificate in the Trusted
Root Certification Authorities of your Windows machine. You are supposed to
be able to store it in your personal certificate storage as well, but I did
not manage to make it work that way.
Using Explorer, go in the
keystores
folder. You should find a file called server.cer
(if not, you need first to perform all the steps described in How
do I make HTTPS work?). Double click on this file. It should open a
dialog box giving you the details of the certificate (I do not know if you
need anything special installed on your machine in order to do that, but I
do not think so). On the General pane, there is an Install Certificate
button. Click on it. It should start the Certificate Import Wizard. Click
Next. Automatically select the certificate store should work and the Trusted
Root Certification Authorities is picked. Click Next then Finish then Yes on
any confirmation popups. You can remove or check the installed certificate
from Internet Explorer, Tools menu, Internet Options, Content tab,
Certificates button, Trusted Root Certification Authorities tab. The
installed certificate is called localhost (check the
genkey target in the build.xml
file to understand why localhost).
Thomas
Hi,
I have an Axis server running on a SSL port.
Axis clients can successfully connect to it. However C# clients give me
the following error:
Could not establish trust relationship with remote
server
What do I have to do to make the C# client
accept the certificate supplied by the Axis server? I have imported the
server certificate as well as the associated CA certificate in to IE which
now trusts the Axis server. Is there an equivalent process for .NET web
applications?
Any help will be much appreciated.
Thanks.
Naresh Bhatia
