I'm trying to write a C# client that consumes a web service. The communication is encrypted. I have downloaded and installed the sites' certificate into that magic place where WinXP keeps them. When I run my client I fail with "The remote certificate is invalid according to the validation procedure." When I run certmgr.msc, the GUI informs me that the certificate has an invalid policy. The certificate has valid dates and the certification path is ok. The certificate does have a certificate policy with a policy identify integers interleaved with dots (like 1.2.30...) Using code from the X509Certificate2.Verify Method documentation , I can see that the Verify message does indeed return false. In trying to research this error, I found a reference in <a href="http://books.google.com/books?id=BaQFGNZAJ4wC&pg=PT528&lpg=PT528&dq=%22Policy%20validation.%20If%20the%20application%20that%20calls%20the%20certificate%20chaining%20engine%20expects%20a%20specific%20application%20policy%22&source=bl&ots=_CSDjpI3m7&sig=PbfYQcMGebKS_2yb3emOrdxyAK0&hl=en&ei=uHixTuGHNcf1sQLyn922AQ&sa=X&oi=book_result&ct=result&resnum=1&ved=0CBsQ6AEwAA#v=onepage&q=%22Policy%20validation.%20If%20the%20application%20that%20calls%20the%20certificate%20chaining%20engine%20expects%20a%20specific%20application%20policy%22&f=false" rel="nofollow">Brian Komar's Windows Server 2008 PKI and Certificate Security : Policy validation. If the application that calls the certificate chaining engine expects a specific application policy or certificate OIDs in the certificate, and the required policy or OIDs are not contained within the certificates in the CA chain, the certificate chaining engine considers the certificate to be invalid. I don't see that I'm setting any expectation of a specific application policy. I'm in the process of porting this WSE3 code to WCF so perhaps it is built in. Any advice on how to run this down further? Is there really a problem with the certificate? If the certificate is ok, do I need to configure or extend the CryptoConfig class to turn off checking the policy? Any and all help appreciated.

P.H.

Reputation: 481

Debugging certificate policy validation failures: "The remote certificate is invalid according to the validation procedure."

I'm trying to write a C# client that consumes a web service. The communication is encrypted. I have downloaded and installed the sites' certificate into that magic place where WinXP keeps them.

When I run my client I fail with "The remote certificate is invalid according to the validation procedure."

When I run certmgr.msc, the GUI informs me that the certificate has an invalid policy. The certificate has valid dates and the certification path is ok. The certificate does have a certificate policy with a policy identify integers interleaved with dots (like 1.2.30...)

Using code from the X509Certificate2.Verify Method documentation, I can see that the Verify message does indeed return false.

In trying to research this error, I found a reference in Brian Komar's Windows Server 2008 PKI and Certificate Security:

Policy validation. If the application that calls the certificate chaining engine expects a specific application policy or certificate OIDs in the certificate, and the required policy or OIDs are not contained within the certificates in the CA chain, the certificate chaining engine considers the certificate to be invalid.

I don't see that I'm setting any expectation of a specific application policy. I'm in the process of porting this WSE3 code to WCF so perhaps it is built in.

Any advice on how to run this down further? Is there really a problem with the certificate?

If the certificate is ok, do I need to configure or extend the CryptoConfig class to turn off checking the policy?

Any and all help appreciated.

Upvotes: 1

Answers (2)

jglouie

Reputation: 12880

One technique I've used to track these type of errors down is to visit the Web Service in a browser.

For example, if you have a Web Service at https://server/foo.asmx, drop that address into the browser of your choice, and you may get a more human readable interpretation of the error.

Upvotes: 0

Wiktor Zychla

Reputation: 48230

You can always disable the validation by setting the ServicePointManager..::.ServerCertificateValidationCallback to a delegate returning true. This would give you time to track down any issues with the certificate.

Upvotes: 0

Debugging certificate policy validation failures: &quot;The remote certificate is invalid according to the validation procedure.&quot;

Answers (2)

Related Questions

Debugging certificate policy validation failures: "The remote certificate is invalid according to the validation procedure."