Reputation: 2693
Trusting SSL certificates stored in "Trusted Root Certification Authorities" in c#
Context:
I'm trying to experiment wit ADFS SSO and followed this tutorial to first connect to Azure AD:
That worked.
Then trying to make it connect to ADFS on our Win Server 2012 R2 following this other tutorial:
and just as they say in this 3rd tutorial: https://msdn.microsoft.com/en-us/library/dn660967.aspx
I get a SSL certificate error:
Questions:
I know I can bypass certificate validation or put special logic in ServicePointManager.ServerCertificateValidationCallback to code around this but since I imported the certificate in my local machine "Trusted Root Certification Authorities"...:
... why is my service still complaining about the certificate?
... Is there a way to tell my C# service to accept ALL certificates in the "Trusted Root Certification Authorities" store?
NOTE: I did implement a ServicePointManager.ServerCertificateValidationCallback and that works but since we will get a whole bunch of clients sending us their ADFS certs, I would like to only have to import their certs in the cert store to have our service trust them.
Thanks
Upvotes: 1
Views: 3599
Answers (1)
Reputation: 27871
You should put the root certificate inside the Trusted Root Certification Authorities store (not the certificate itself). If you open a certificate and go to certification path you will be able to view the root certificate.
To explain this further:
Every certificate has an issuer, and such issuer also has a certificate.
Usually the issuer is a Certification Authority (CA).
Such certificate (of the CA) might be signed by the CA itself (self-signed), or another parent CA.
So you have a parent/child relationship here. The root certificate is the certificate for the root issuer, i.e., the parent/grandparent of which certificate is self signed.
In this example, the Administrator certificate is signed by the CA. And the CA certificate is self-signed. In this case, you would want to install the CA certificate to the Trusted Root Certification Authorities store.
There are other factors that play a role when it comes to certificate validation. For example, a certificate has an expiry data after which it will be considered invalid.
Upvotes: 5
Related Questions
- Adding self-signed root certificate to Azure App Service
- ASP.Net ADFS Token Encryption certificate private key
- Using Trusted Root Certification Authorities for server certificate validation in HttpClient
- SAML SSO WITH ADFS IN C#
- ADFS token encryption certificate chain validation fails
- How can I trust an Active Directory Root CA Certificate in an Azure Web Application?
- TrustedIssuers in Windows Identity Foundation
- Manually trust SSL certificate in C#
- ADFS Error: The root of the certificate chain is not a trusted root authority
- ADFS 2.0. Figuring out purporse and value of each X.509 certificate