UPDATE (12/17/2007): My blog has moved. This post is now located at:
http://jason.whitehorn.ws/2006/09/21/Web+Services+Self+Signed+SSL+Certificates.aspx
Sometimes you want your web services to use an SSL communications channel, but for one reason or another you cannot use a SSL certificate from a major
CA.
Just this past week we had just such a need at work. A coworker of mine was having difficulties making web service calls over SSL when the certificate's CA could not be trusted by .NET. I had mentioned to him that I had done something similar in the past, and offered my help.
I eventually came up wit this solution:
using System;
using System.Net; //For the ServicePointManager
using System.Security.Cryptography.X509Certificates; //for the X509 certificate
using System.Net.Security; //for RemoteCertificateValidationCallback delegate & SslPolicyErrors
public partial class _Default : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e){
ServicePointManager.ServerCertificateValidationCallback
= new RemoteCertificateValidationCallback(certExaminer);
}
public bool certExaminer(object sender, X509Certificate c, X509Chain chain, SslPolicyErrors sllPolicyErrors) {
return true; //true means the certificate is okay to use
}
}
Which I wrote up after having read
this MSDN article. Now, whenever .NET needs to validate a certificate, it calls the function "certExaminer".
I had thought that I had done something different in the past. The above works, but modifies the certificate validation process for the entire running process.
So, I guess my question is, do any of you know of a better way to use web services with SSL certificates that have untrusted CAs?