1

I just got the following error while calling an API. "Could not establish trust relationship for the SSL/TLS secure channel"

I fixed it with the RemoteCertificateValidationCallback class:

ServicePointManager.ServerCertificateValidationCallback += 
            new RemoteCertificateValidationCallback(Helpers.CertificateHelper.ValidateCertificates);

And there I just applied a snippet of code found here: How to verify X509 cert without importing root cert?

Now its working fine, but.. Is this the way to go? Is it okay, or should I not use this method?

Peter
  • 314
  • 1
  • 11
  • it is not the right way to go. Which is the right depends on a context. Why you get this error? If this is a misconfiguration on peer end, then you should ask them to fix this. Attempts to fix it on your side will most likely make you vulnerable to MITM attacks. – Crypt32 Jan 25 '21 at 21:20
  • I get the error because I miss root certificates (I guess on the server?) I just downloaded them (from API documentation) and verify them in the callback. Is adding those certificates on the server, the way to go? – Peter Jan 25 '21 at 21:53

1 Answers1

1

When your server checks the certificates on a request it will try to verify the entire certificate chain. The code you used basically tells your server to skip validating the root ca. You should not do that because as Crypt32 said it leaves you more vulnerable to attacks.

If the error you receive tells you that you are missing the root certificates you should make sure that your server trusts those certificates

If this is a windows server you can install them in the Trusted Root Certification Authorities - Theres an explantion about it here

Be careful about which certificates you trust - make sure that your source can be trusted

If that does not work, you should post here the exact error you are getting and we might be able to understand the problem better

StavSheiz
  • 96
  • 4