2

Background

I have a .NET console application client that consumes a Java RESTful Service with TLS Client Authentication enabled (aka Mutual Authentication).

It should be the reverse of this SSL Socket between .Net and Java with client authentication

Problem

  1. I am always getting this error: Could not establish trust relationship for the SSL/TLS secure channel

  2. I have no idea how to configure this correctly both on the client and server.

Steps Performed

  1. The .NET console application is already including the CA, intermediate, and server certificates but the same error is being thrown.

  2. I provided the server a Certificate Signing Request (CSR).

  3. The server signed and provided a signed certificate back to me. The signed certificate is being included in the communications between the client and the server. However, the same error is being thrown.

Can anyone enlighten me on how to get a successful handshake?

Community
  • 1
  • 1
setzamora
  • 3,560
  • 6
  • 34
  • 48
  • Have you tried a self-signed one before? – Fildor Jan 19 '16 at 10:03
  • Yes, but in this case we're using certificates purchased from a trusted CA. – setzamora Jan 19 '16 at 10:04
  • I was just asking to be sure that the issue is not something else than the certificate. – Fildor Jan 19 '16 at 10:05
  • 1
    Can you call that REST service from browser? – user1516873 Jan 19 '16 at 10:07
  • Unfortunately no, it's showing an SSL error as well when doing an HTTP GET using a browser on the same machine where the .NET client is. – setzamora Jan 19 '16 at 10:07
  • what exacly error you get in browser? `when transacting on the same machine` what about different machine? Some old WinXP have outdated CA list, handshake may stuck even on server certificate validation. If you have openssl installed, it may help (openssl s_client command with debug option very useful) – user1516873 Jan 19 '16 at 10:16
  • I get the same error when trying it out on another machine. The client machine is a regularly patched Windows Server 2008 R2. TLS 1.2 is the minimum, TLS 1 and below have been disabled. – setzamora Jan 19 '16 at 10:20
  • We will try a self-signed certificate and update this thread. – setzamora Jan 19 '16 at 14:38

1 Answers1

1

This has been resolved.

Here are the steps:

  1. Create a Certificate Signing Request (CSR).
  2. Have the CSR signed by the server.
  3. Get the signed certificate.
  4. Include the signed certificate in the HTTP request.
  5. Make sure to put the Self-Signed CA Certificate in the Local Computer's Trusted Root CA store.

Troubleshooting steps in order (do not skip if a certain step is not successful):

  1. Test with HTTP
  2. Test with HTTPS (one-way authentication)
  3. Test with HTTPS (mutual authentication)
setzamora
  • 3,560
  • 6
  • 34
  • 48