Trusting Self-Signed Certificate using HttpClient

0
votes

I have followed this tutorial to create a self-signed CA certificate and then a self-signed SSL certificate based off the CA certificate. I then installed the SSL certificate in IIS to access my internal site via a local IP address e.g. 10.0.0.1. I want to use HttpClient to make a request to the site as follows:

using (var httpClient = new HttpClient())
{
    var text = await httpClient.GetStringAsync("https://52.19.32.61:5010");
}

I have added my self-signed CA certificate to the local machines trusted root certificates, however, I still get the following exception (Any answers telling me to turn off SSL validation are not helpful.):

System.Net.Http.HttpRequestException: An error occurred while sending the request. System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

1
c#.netsslssl-certificatedotnet-httpclient
Your question is similar to this: stackoverflow.com/questions/2675133/…Robo
I am not asking to ignore certificate errors.Muhammad Rehan Saeed

1 Answers

2
votes

SelfSigned CA has to be in LocalMachine\Root store on server and on any client connecting to the server.

SSL certificate should have exact DNS name that clients will use to connect to it. It can have several DNS names specified in the certificate in Subject alternative name (SAN) extension. In your case you are using IP address so either

  • you place the IP address in SAN or
  • you put the IP address in hosts file with DNS name you specified when issuing SSL certificate and use this DNS name in HttpClient

You might consider using XCA to issue your certificates. It has nice GUI and is built on top of OpenSSL. It has predefined templates for CA and SSL server. More info in documentation here.