locked
How to connect to a Http Rest Service with Self Signed Certificate(in the server side). RRS feed

  • Question

  • I started working on Windows metro style app few days ago. I need to implement an app which is the client side for a REST Service. For that I choose HttpClient in the client side to communicate with the server. I did not find a way to get a callback for Server Side Certificate validation. As a result if server contains self-signed or expired certificate, my app is not able to connect to server. Please help.  

    Friday, June 22, 2012 11:43 AM

Answers

All replies

  • You cannot ignore certificate errors in Metro style apps.  The certificate must be valid.

    Jeff Sanders (MSFT)

    Wednesday, June 27, 2012 3:37 PM
    Moderator
  • So there is no way to test an application which is using  a web service in development environment ? It is no feasible to get valid certificate for the development servers and our application does not allow user to communication with web service using http.

     
    Friday, July 6, 2012 8:15 AM
  • It is absolutely possible to have valid certificates on test servers.  That is the route you should go.

    Jeff Sanders (MSFT)

    Friday, July 6, 2012 12:36 PM
    Moderator
  • PS, Simply install the cert in the trusted root of the Machine store on your test machine.

    Jeff Sanders (MSFT)

    Thursday, July 12, 2012 8:01 PM
    Moderator
  • Also see this:

    http://msdn.microsoft.com/en-us/library/windows/apps/hh464981.aspx#certificates_extension_sample_1

    You can include the server cert (and any intermediate certs) in your app and through the certificate extensions, set that cert in code.

    1. Export the server cert to a .der file

    2. Include the cert in your application (I put mine in the Assets Directory)

        Right click on the cert after you include it in your project and

         a. set the Build Action to Content

         b. set the Copy to Output Directory to Copy always

    3.  Open the package.appxmanifest in the text or XML editor by right clicking on it and add your cert to the "Root"

    </Capabilities>
      <Extensions>
        <!--Certificates Extension-->
        <Extension Category="windows.certificates">
          <Certificates>
            <Certificate StoreName="Root" Content="Assets\jsanders4.cer" />
            
          </Certificates>
        </Extension>
      </Extensions>

    Note:  This is the trusted root store for this application only (for obvious security reasons).


    Jeff Sanders (MSFT)

    Friday, July 13, 2012 5:30 PM
    Moderator
  • This was extremely helpful. I've never really dealt with certificates and whatnot and I had no idea why I couldn't connect to a small secure server I set up.

    Thanks a bunch.

    Tuesday, October 9, 2012 7:24 PM
  • Also see this:

    http://msdn.microsoft.com/en-us/library/windows/apps/hh464981.aspx#certificates_extension_sample_1

    You can include the server cert (and any intermediate certs) in your app and through the certificate extensions, set that cert in code.

    1. Export the server cert to a .der file

    2. Include the cert in your application (I put mine in the Assets Directory)

        Right click on the cert after you include it in your project and

         a. set the Build Action to Content

         b. set the Copy to Output Directory to Copy always

    3.  Open the package.appxmanifest in the text or XML editor by right clicking on it and add your cert to the "Root"

    </Capabilities>
      <Extensions>
        <!--Certificates Extension-->
        <Extension Category="windows.certificates">
          <Certificates>
            <Certificate StoreName="Root" Content="Assets\jsanders4.cer" />
            
          </Certificates>
        </Extension>
      </Extensions>

    Note:  This is the trusted root store for this application only (for obvious security reasons).


    Jeff Sanders (MSFT)

    Hi Jeff,

    This technique is still valid in RTM ? Indeed, I'm trying to use it in my application but I'm still getting an error....

    Thanks!


    Thomas Lebrun [MVP] - Windows 8 / Windows Phone / WPF / SL: http://blog.thomaslebrun.net

    Sunday, October 21, 2012 10:47 AM
  • Yes it is still valid

    Jeff Sanders (MSFT)

    Monday, October 22, 2012 12:03 PM
    Moderator
  • Ok real client use-case here.. My Client makes and sells millions of servers every year.. Those servers include WSMan based administration consoles that there clients use.. We are building a Modern UI app for them to allow Network admins to manage there server farms.. Are we really going to tell our client (one of the top 4 Windows Hardware manufactures in the world) that they can't connect to self signed WSMAN hosts? They have gone out of there way to support self-signed cert generated on the machine by the management console we have to tell the client, that to support Windows 8 they have to write off all those devices???

    There has to be another way...

    (Yes there clients (a HUGE percentage of datacenters from small shops to HUGE enterprises) can install legitimate SSL certs, but its not our job to tell our clients how to run their datacenters.. And managing 5000 servers in a large data farm managing certs stops becoming a trivial task).

    Thanks

    Josh

    Tuesday, November 13, 2012 5:12 PM
  • Hi Josh,

    Thanks for the use case, I will let the product team know.  Yes you will need to tell your client that they cannot use Windows Store apps in that scenario.  You can of course still use the same Windows Design Style to create desktop apps that will look and feel like Windows Store apps.  The downside of that will be that they will not run an Windows RT devices however.

    -Jeff


    Jeff Sanders (MSFT)

    Thursday, November 15, 2012 1:17 PM
    Moderator
  • Thanks for the confirmation Jeff... Funny thing is the primary reason we are building an Windows Store App is because we are one of the 6 OEMs that are currently allowed to make RT devices and we didn't want to leave them out.

    FYI: Yes best practices in a large Data Center dictate our clients should have there own internal CA and all that jazz, but the story breaks down in the SMB sector where a "data center" may only be 10 or 15 machines.

    Josh

    Thursday, November 15, 2012 3:06 PM
  • Hi,

    I am creating a windows 8 App in C#, this app needs to consume Odata service of SAP Netweaver Gateway.Can i access the certificates installed in Local machine store?

    Wednesday, November 21, 2012 6:22 AM
  • What do you mean by 'access the certificates'?  Please describe you scenario fully!


    Jeff Sanders (MSFT)

    Wednesday, November 21, 2012 2:15 PM
    Moderator
  • i am creating a win8 app for SAP scenario for consuming SAP gateway odata service i need to authenticate client with service.

    For this i have to pass a X509 certificate from my local machine store with request sent to gateway.

    Thursday, November 22, 2012 7:16 AM
  • Jeff,

    I have recently started getting this error. "XMLHttpRequest: Network Error 0x2ef3, Could not complete the operation due to error 00002ef3." from my metro app. This code has been working for a while now and suddenly gets this error. It's trying to do oAuth 1.0 authentication to Dropbox. How do you export the certificate from Dropbox servers? Why do I have to do this all the sudden.? It was working!

    Thanks,

    Todd


    STBraley

    Saturday, December 22, 2012 5:57 PM
  • Like Thomas, I also get an error.

    + InnerException {"The underlying connection was closed:

    Could not establish trust relationship for the SSL/TLS

    secure channel."} System.Exception {System.Net.WebException}




    • Edited by Paul Wulff Wednesday, January 16, 2013 11:40 AM
    Wednesday, January 16, 2013 11:38 AM
  • Note: when you transfer your server .crt file to a .cer file in your Visual Studio project, make sure you copy it as DER encoded, not Base-64.

    Thursday, January 17, 2013 4:53 AM