Accessing a cross-signed SSL service with a .net WebClient

0
votes

I have a small C# app that uses a WebClient to download data from a web service over HTTPS (URL begins https://). The following has worked well for a long time:

public class WebClientEx : WebClient {
    public int Timeout {get; set;}
    protected override WebRequest GetWebRequest(Uri address) {
        var request = base.GetWebRequest(address);
        if (request != null)
            request.Timeout = Timeout;
        return request;
    }
}

using (var client = new WebClientEx()) {
    client.Proxy = new WebProxy(ProxyUrl) { Credentials = CredentialCache.DefaultCredentials };
    client.Timeout = 900000;
    var fields = new NameValueCollection { /* .... */ };
    byte[] respBytes = client.UploadValues(url, fields);
    /* .... */
}

However, the provider of the web service has recently updated their SSL certificate and now I get this:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

I can disable SSL validation to "make it work":

public class WebClientEx : WebClient {
    public int Timeout {get; set;}
    protected override WebRequest GetWebRequest(Uri address) {
        var request = base.GetWebRequest(address);
        if (request != null)
            request.Timeout = Timeout;
        if (SSLCheckDisabled) {
            try {
                //Change SSL checks so that all checks pass
                ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
            }
            catch {
            }
        }
        return request;
    }
}

But for obvious reasons, I don't want to do this!

On Windows 7 + IE9, the certificate is fine and fully trusted in IE. On the Windows 2003 server accessing the web service with the .NET Framework 4.0 WebClient, IE6 says in a Security Alert:

The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.

The certificate at the end of the chain, which is "not trusted", is:

Issued To: DigiCert High Assurance EV Root CA

Issued By: DigiCert High Assurance EV Root CA

This troubleshooting page says at the top "The root certificate in this path is titled DigiCert High-Assurance EV Root CA and is already trusted by all modern browsers.". All online SSL checkers pass the domain when I test them.

So my question is - how can I get my WebClient to behave more like IE9 than IE6, and to trust this cross-signed SSL certificate?

1
c#.netsslhttpswebclient

1 Answers

1
votes

If your computer trusts the Root CA, then you trust certificates issued by that CA. You need to add the Digicert Root CA certificate to the computer's Trusted Root CA group. This can be done using the Certificates MMC snap-in for the computer account.

To Export the Root CA Certificate

  1. View the site's certificate from the browser.
  2. On the Certification Path tab, select the Root CA cert (at the top of the chain).
  3. Click the View Certificate button
  4. On the Details tab of the Root CA cert click Copy to File. (DER encoded .CER is fine).

To trust the Root CA

  1. Open the Certificates MMC snap-in for the Computer (start > mmc > Add snap-in > certificates)
  2. Navigate to the "Trusted Root Certification Authorities" folder
  3. Right-click on the Certificates folder, choose All Tasks > Import.
  4. Browse to the .cer file and follow the wizard.