none
AuthenticateAsServer - The remote certificate is invalid according to the validation procedure RRS feed

  • Question

  • I'm trying to create a test client/server connection using the following code:

        static void Main(string[] args)
        {
            var listenerThread = new Thread(ListenerThreadEntry);
            listenerThread.Start();
    
            Thread.Sleep(TimeSpan.FromSeconds(1));
    
            var socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP);
            socket.Connect("localhost", Port);
    
            var rawStream = new NetworkStream(socket);
            var stream = new SslStream(rawStream, false, VerifyServerCertificate);
            var certificate = new X509Certificate(CertsPath + @"test.cer");
            var certificates = new X509CertificateCollection(new[] { certificate });
            stream.AuthenticateAsClient("localhost", certificates, SslProtocols.Tls, false);
    
            Thread.Sleep(TimeSpan.FromSeconds(1));
        }
    
        private static bool VerifyServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            return true;
        }
    
        static void ListenerThreadEntry()
        {
            var listener = new TcpListener(IPAddress.Any, Port);
            listener.Start();
    
            var client = listener.AcceptTcpClient();
            var serverCertificate = new X509Certificate2(CertsPath + @"\test.pfx");
            var sslStream = new SslStream(client.GetStream(), false);
            sslStream.AuthenticateAsServer(serverCertificate, true, SslProtocols.Tls, false);
    
            Thread.Sleep(TimeSpan.FromSeconds(10));
        }
    

    And I'm getting a "The remote certificate is invalid according to the validation procedure" error message in the AuthenticateAsServer method.

    Certificate was created and saved to file using these commands:

    makecert.exe -r -pe -n "CN=localhost" -a sha1 -sky exchange -sv test.pvk test.cer
    pvk2pfx -pvk test.pvk -spc test.cer -pfx test.pfx

    What am I doing wrong?


    Friday, August 28, 2015 9:27 AM

Answers

  • Hi Andrey_F,

    The exception usually occurs because the certificate is self-signed and not added as a trusted certificate. You could follow the below steps to add it as a trusted certificate.

    1.Click Start, click Start Search, type mmc, and then press ENTER.

    2.On the File menu, click Add/Remove Snap-in.

    3.Under Available snap-ins, click Certificates, and then click Add.

    4.Under This snap-in will always manage certificates for, click Computer account, and then click Next.

    5.Click Local computer, and click Finish.

    6.If you have no more snap-ins to add to the console, click OK.

    7.In the console tree, double-click Certificates.

    8.Right-click the Trusted Root Certification Authorities store.

    9.Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

    For more information, link below is for your reference.

    https://technet.microsoft.com/en-us/library/Cc754841.aspx

    Best Regards,Li Wang

    Monday, August 31, 2015 8:53 AM
    Moderator

All replies

  • Hi Andrey_F,

    The exception usually occurs because the certificate is self-signed and not added as a trusted certificate. You could follow the below steps to add it as a trusted certificate.

    1.Click Start, click Start Search, type mmc, and then press ENTER.

    2.On the File menu, click Add/Remove Snap-in.

    3.Under Available snap-ins, click Certificates, and then click Add.

    4.Under This snap-in will always manage certificates for, click Computer account, and then click Next.

    5.Click Local computer, and click Finish.

    6.If you have no more snap-ins to add to the console, click OK.

    7.In the console tree, double-click Certificates.

    8.Right-click the Trusted Root Certification Authorities store.

    9.Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

    For more information, link below is for your reference.

    https://technet.microsoft.com/en-us/library/Cc754841.aspx

    Best Regards,Li Wang

    Monday, August 31, 2015 8:53 AM
    Moderator
  • Thanks. Can I somehow make my server accept this certificate without adding it to the "Trusted Root" storage? I wouldn't like to modify the global configuration.
    Wednesday, September 2, 2015 11:20 AM
  • Hi Andrey_F,

    ->Can I somehow make my server accept this certificate without adding it to the "Trusted Root" storage?

    I am afraid you can't do it. Untrusted certificate will be refuse from server.

    Best Regards,
    Li Wang

    Thursday, September 3, 2015 5:27 AM
    Moderator