1

In our development stage, we created a self-signed certificate, which means I have .cer and .pfx file. When we tried to call the APIs, is there any methods we can use to embed above files in the HTTPS request, so that not every client install the certificate to local trusted certificate store.

Is this possible? I found some APIs which seems like we can do like that, but just cannot get it succeed:

try
{
    var secure = new SecureString();
    foreach (char s in "password")
    {
        secure.AppendChar(s);
    }

    var handler = new WebRequestHandler();
    handler.ClientCertificateOptions = ClientCertificateOption.Manual;
    handler.UseProxy = false;

    var certificate = new X509Certificate2(@"C:\httpstest2.pfx", secure);
    handler.ClientCertificates.Add(certificate);

    using (var httpClient = new HttpClient(handler))
    {
        httpClient.BaseAddress = new Uri("https://www.abc.com");
        var foo = httpClient.GetStringAsync("api/value").Result;
        Console.WriteLine(foo);
    }
}
catch (Exception ex)
{
    Console.WriteLine(ex);
}
  1. Do I need to use X509Certificate instead of X509Certificate2?
  2. If we purchase real certificate from 3rd-party company, can we just go through the validate exception without caring about the certificate issue?
Jerry Bian
  • 3,998
  • 6
  • 29
  • 54

2 Answers2

4

Can you just use this code to ignore any SSL errors

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

Obviously make sure this doesn't make it to production.

SpeedOfSpin
  • 1,611
  • 20
  • 21
  • 2
    NO, we'd like to avoid this, just intend to find a real solution for the validation problem. – Jerry Bian Nov 17 '14 at 10:34
  • The perfect solution for a proof-of-concept app. Thank you! – Oliver Jun 17 '16 at 21:04
  • I can't see anything bad using custom validation callback if you check for your own certificate before returning true. I guess the callback can even be used to override validation by Operating System which might be more secure because you wouldn't trust certificates by other (root) CA's installed on your machine. You might want configure this in a more local scope: https://stackoverflow.com/a/24225737/3172599 – stb Dec 04 '17 at 09:38
0

Clients only need the public key in the .cer file, which is sent automatically when the https connection is established. But whether the client trusts that certificate is not a decision the server sending the cert should be allowed to make.

You can use a group policy to distribute the certificate to your clients. See http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx for more details.

MvdD
  • 22,082
  • 8
  • 65
  • 93