Re: SSL for dummies... how to generate X509Certificate (*.DER) files?

When you use a browser to try to access the URL you are using in your
HttpWebRequest from the same machine you are executing the code, do you get
a certificate trust warning? How was the server's certificate generated?
Do you know anything about it?

In SSL, to get an encrypted channel, it is only required that the server has
a valid certificate configured. That certificate is used to establish the
secure connection and also validates the identity of the server. However,
it is common to have issues validating the identity of the server based on
its certificate (which is probably what is happening to you).

In order to be valid (by default):
- The common name on the server's certificate must match the DNS name the
client used to access the server
- The server's cert must be within the validity period
- It must chain to trusted root on the client

If any of those things are wrong, the server will not be trusted by default.
I recommend the browser as a way to troubleshoot this as it has a nice GUI
that shows you the problem(s). You can either fix the problems (best idea)
or write some code to ignore the problems (sometimes the only way).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"James Crosswell" <james@xxxxxxxxxxxxxx> wrote in message
news:%23XpaJf0BIHA.912@xxxxxxxxxxxxxxxxxxxxxxx
Hi Joe,

Thanks for your reply.

Joe Kaplan wrote:
Do you need to do client certificate authentication or just do SSL server
auth? If you don't need client certificate auth, then you don't specify
a client certificate in your HttpWebRequest. Just make sure you have
your server configured for SSL.

I'm a bit vague on that point to be honest. I need to establish an SSL
connection to a remote web server. If I comment out the following lines in
the code I provided above:
X509Certificate clientcert =
X509Certificate.CreateFromCertFile(certificatePath);
req.ClientCertificates.Add(clientcert);


... then I end up getting:

System.Net.WebException : The underlying connection was closed: Could not
establish trust relationship for the SSL/TLS secure channel.
----> System.Security.Authentication.AuthenticationException : The
remote certificate is invalid according to the validation procedure.

... So it seems to be complaining about the remote certificate, not mine.


Best Regards,

James Crosswell
Microforge.net LLC
http://www.microforge.net


.

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
    (microsoft.public.dotnet.framework.aspnet.security)