1

I am trying to connect to a localhost REST server using powershell Invoke-RestMethod cmdlet as follows:

Invoke-RestMethod -Uri "https://localhost:port/xxx/xxx/" -CertificateThumbprint "thumbprint of my client certificate"

Whenever I run this command I always get this error Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

I have the necessary server certificate and client certificate installed. Powershell client certificate is installed in the Currentuser store. The certification authority cert is also added to the "Trusted root certification authority".

Can someone please explain why this error? I am not looking for tricks to ignore cert errors, I am trying to understand what's wrong with Powershell. If I use IE then it works just fine.

Thanks.

briantist
  • 45,546
  • 6
  • 82
  • 127
jaakash
  • 173
  • 1
  • 10
  • Does the site require the user to sign-in? If so, look at sample #1 on Invoke-WebRequest. I know, different command but Invoke-RestMethod sports the same -WebSession and -SessionVariable parameters. – Keith Hill Jul 01 '15 at 16:14
  • @KeithHill - no there is no sign-in requirement. It exposes a simple REST API of type GET. – jaakash Jul 01 '15 at 17:54
  • Is this a local user account or a domain account? Note on the [technet page for `Invoke-RestMethod`](https://technet.microsoft.com/en-us/library/hh849971.aspx) that `Certificates are used in client certificate-based authentication. They can be mapped only to local user accounts; they do not work with domain accounts.`. – briantist Jul 01 '15 at 17:58
  • @briantist - local user account. I have installed client certificate in the Current user cert store. Also verified using Get-ChildItem -Path cert:\currentuser\my that I can reach to it fine. – jaakash Jul 01 '15 at 18:12
  • 2
    Does the SubjectName of the cert match the hostname to which you are connecting? (reference, the second answer on http://stackoverflow.com/questions/11266674/self-signed-cert-the-underlying-connection-was-closed-could-not-establish-trus?rq=1) – Eris Jul 02 '15 at 03:44
  • @Eris - that's a very good point. that might be the issue. Certificate that I am using is issued to a service(application). SubjectName doesn't have the hostname in it. To validate this theory I attempted to connect to it using firefox and it did gave me "ssl_error_bad_cert_domain" error. Not sure how this type of certificate is supposed to be used. – jaakash Jul 02 '15 at 19:14

0 Answers0