Trust a self-signed certificate to authenticate a server (.NET client on Windows)

1
votes

I have a .NET application that connects to a remote server over SSL. In test environment the remote server uses a self-signed certificate. By default, the SSL connection fails. If I install the certificate into Trusted Root Certification Authorities store, the connection succeeds.

However, since it is now a trusted certification authority, this certificate can be used to sign certificates for any other site, and applications on my computer, such as Internet Explorer, will trust those. I want this certificate to be trusted to authenticate a specific web site, but not trusted as a certification authority. Is there any way to do so?

1
.netwindowssslself-signed

1 Answers

2
votes

You can implement your own certificate verification mechanism that allows additionally certain self-signed or custom certificates.

Take a look onto the RemoteCertificateValidationCallback Delegate. In this callback you can check if the verification was already successful (sslPolicyErrors == SslPolicyErrors.None) then you don't have to do anything. Otherwise you can check the given certificate if it equals the custom certificate you want to trust in this context. If the certificate matches return true.

Using your own RemoteCertificateValidationCallback Delegate can be done connection oriented (using e.g. this SslStream constructor).