SSL Self-Signed certificate not trusted by ASP.Net app - asp.net

I have an ASP.Net app that requires SSL certification in order to connect to a Dynamics NAV instance via SOAP.
I've created a self signed SSL certificate using the New-SelfSignedCertificateEx.ps1 script. The exact command used was:
New-SelfSignedCertificateEx -Subject "CN=<computerHostname>" -IsCA $true -Exportable -StoreLocation LocalMachine -NotAfter $([datetime]::now.AddYears(5))
Afterwards I copied the certificate to Trusted Root Certificates and added the thumbprint in the NAV instance settings, yet every time I try to connect my app to said NAV instance I receive an error stating:
System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority '<computerHostname>:<NavInstanceSOAPPort>'

A self signed certificate is not a trusted certificate, you need to provide one from a trusted authority
Try Let's Encrypt, ZeroSSL, FreeSSL or any party you like, they will offer you free 90-day certificate good enough for your tests

Related

ASP NET - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

We have a web service (service A) that calls another intranet service (service B) using HttpWebRequest via HTTP. When we have tried to upgrade that intranet service (service B) to HTTPS, we have started to see The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel exception.
Can this be related to not having the certificate in Server Certificates on the server where service A is located?
I have found the following article, but it seems to be more related to the same issue on the desktop, not on the server.
Could not establish trust relationship for SSL/TLS secure channel -- SOAP
#mason's comment to my question helped resolve the problem. Indeed CA's certificate was not amongst trusted root certificates.
It's not in IIS. It would be in Windows certificate store. Start > Manage Computer Certificates. The CA probably needs to be in the Trusted Root Certification Authorities > Certificates folder.

IIS 7.5 Client certificate authentication

I have asp.net site on my local machine.
IIS configuration:
binding: https binding with self-signed certificate,
ssl settings: Require SSL and Require client certificates
I have installed next certificates on my machine:
CA certificate (call it 'CA Center') in Trusted Root Certification Authorities store.
Client certificate issued by 'CA Center' in Personal store
I go to site and accept server certificate. But next i get error:
HTTP Error 403.7 - Forbidden. The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.
That means browser (IE) doesn't send applicable client certificates to server.
What's wrong? Should I configure something else?
I had exactly this problem, and it took me an age to figure out the cause. Turned out it was because my computer was part of a domain, and there was some sort of group policy for that domain was restricting the trusted root certificates that IIS would be willing to accept. I don't know exactly what the setting was or how to alter it, but I found I could work around it by choosing to install my certificate into the enterprise physical store using the certutil command:
certutil -addstore -v -enterprise root CertificateAuthority.cer
It sounds like the browser never prompted you to select a client certificate to send which means something is incorrect with the SSL Handshake. Try testing this with OpenSSL.
Additionally, a very common problem is having too many certificates in the Trusted Root CA folder. When the server sends the list of CAs, there is a limit to how large the list can be so if it exceeds the limit, it will truncate the remaining CA certificates. Make sure the Trusted Root CA folder doesn't have too many certificates. One way to check this is temporarily modifying the SCHANNEL in the registry editor to not send the CA List, and then re-try.
Start > Run > 'regedit' > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL >
right-click > New > DWORD > 'SendTrustedIssuerList' > Value:0
Re-install the certificates and check their effective dates. From Microsoft Support:
Download the root server certificate in a browser on the server
computer. Run the Iisca.exe command line utility that is located in
the Inetsrv directory.
Check the effective date on the client certificate and make sure that
the date and time has arrived.
Check the expiration date and make sure that the certificate has not
expired. Contact your certificate authority to see if your
certificate has expired.

X509 certificate error for HTTPS on BizTalk

I want to send a request to HTTPS adapter through BizTalk server 2009. My BizTalk adapter is dynamic and it's takes configuration details from database instead of directly mentioning it on server.
I have installed X509 certificate in my browser and imported it in MMC.
I am getting following error in my BizTalk
A message sent to adapter "HTTP" on send port "sndHL7" with URI "https://xxxxxxxxx/imm/test (https://xxxxxxxxxxxxx/imm/test)" is suspended.
Error details: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
I searched for this error, but every where I got following response only :
Error: – Details: “The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Solution: The error message normally occurs if the client certificate is not configured correctly. You should check that you have configured your client certificate in certificate store under BizTalk service account that hosts the HTTP adapter.
I am not getting how to configure that certificate in proper certificate store. I have 3 files wih extension .cer, .cer and .pfx. The file with extension .pfx requires password to install it in any store.
Also, how to configure certificate under BizTalk service Account? Should I select "Service Account" while adding snap in in MMC and then select BizTalk service from the list of services.
I don't know about biztalk but if you are presenting a cert you need the associated private key. A cert is like a photo ID. It is hard to forge, but it still doesn't prove your identity unless you can present your face for someone to compare with the ID. Assuming the file extensions match the actual format of the files, the cer files are either DER, BER or PEM encoded certificates without the private key. So you need the pfx file. So if the proposed solution from the error message is correct, you need to find that password and install the certificate and private key from the PFX file into the store.
The two .cer files must be the root authority and server certificates and you must trust them.so you need to place them in your LOCAL MACHINE- Trusted Root Certification store. (use MMC)
Now the .pfx file will have the client authentication certificate that you will be passing into get authenticated. Import this certificate to LOCAL MACHINE,Personal (or MY certificate store if using command line) check private key as exportable.
Now allow BizTalk service account access to the private key of this certificate.
MMC use add snap in and add local machine.
select the client certificate in Personal right click- AllTasks- Manage private keys. Now add your BizTalk service account as a user and give access.
Or else use winhttpcertcfg tool in command line

Certificate for WCF message security

I am developing a WCF service and Windows forms client and using message security (authenticate with user name, password, and certificate (public and private key) at server, server public key at client). Verified with temporary certificate using makecert.
Now I need to publish my application in GoDaddy.
Can I use the SSL Certificate from GoDaddy for WCF message security (WS-Security) or do we need to buy a different type of certificate?
It is possible, but it means you would have to have the GoDaddy SSL certificate installed on every client. Normally you would not expect the SSL certificate itself to be installed on a client, instead you would have a certificate from somewhere higher in the certificate issuer chain installed and verify the GoDaddy SSL certificate by chaining.
However, if you are able to distribute the GoDaddy cert (minus the private key, obviously) with your client application then you should be able to do it. Certificates generally have Purpose, which is the intended use of them. I imagine your GoDaddy certificate would have an intended use of SSL only, but I don't think that really matters.

Problem configuring SSL/Certificates on IIS7

I am trying to use SSL and certificates with a web service (IIS 7, Windows 2008, .NET framework 3.5 SP1). I followed the basic instructions (http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis-7/) and was able to get the site running soon. However, I can only connect to it from a client if the client has the web server's certificate in its Trusted Root Certification Authorities/Certificates store. If I don't add the certificate on the client site, I get the error "Could not establish trust relationship for the SSL/TLS secure channel with authority" on trying to connect to the service from client.
That's the correct behavior if you're just using self-signed test certificates. In a public/production environment, your server's certificate would be issued by a common CA like GoDaddy or VeriSign, which you have to pay to obtain.
Most (client) machines already have a large list of updated CA in their trusted root such as GoDaddy, and so a server certificate signed by them for your site will validate as a valid certificate on most* machines (without you needing to provide your cert as a trusted root).
*Most, meaning that there are browsers & operating systems which may be missing (or need updates) on common certificate authorities in their trusted root store.
Where did you get this certificate? If it's not a child of one of the certificates in the root authority already I sure hope you didn't pay money for it. If you're generating them yourself this isn't surprising because nobody trusts your CA server.

Resources