SSL Certificate Check

Discussion in 'ASP .Net' started by Guest, May 11, 2005.

  1. Guest

    Guest Guest

    How do I programmatically read an SSL certificate when using connecting with
    WebClient? I need to verify the domain name matches the certificate and that
    the Expiration Date is valid before I post data to another server. Thanks.
    Guest, May 11, 2005
    1. Advertisements

  2. Hi Jmh,

    Welcome to ASPNET newsgroup.
    From your description, you are using WebClient class to access a certain
    ASP.NET web application which is protected by SSL in IIS. And at the client
    application, you'd like to intercept the validation processing for the
    Server Certificate , yes?

    As for this question, based on my research, when using WebClient (or
    HTTPWebRequest) net components to accessing SSL protected resource, the
    validation process for the Server Certificate if automatically done by the
    default CertificatePolicy(System.Net.DefaultCertificatePolicy). The
    DefaultCertificatePolicy class will always make the connection fail if any
    problems or errors occur. Then, if we need to manually intercept the
    validation process, we can create a custom CertificatePolicy class which
    should inplement the ICertificatePolicy interface,

    #ICertificatePolicy Interface

    this interface contains the "CheckValidationResult" method which return a
    boolean value to indicate whether the Server Certificate is valid. We can
    add our own validation logic in it. The following custom CertificatePolicy
    always return true to let the server certificate pass the validation(no
    error will occur):

    public class MyCertPolicy : System.Net.ICertificatePolicy
    public MyCertPolicy()

    public bool CheckValidationResult(ServicePoint sp,
    X509Certificate cert,WebRequest req, int problem)

    return true;

    And before we use our WebClient instance to access remote SSL protected
    app, we need to attache our custom CertificatePolicy instance through the
    System.Net.ServicePointManager.CertificatePolicy propety, like:

    ServicePointManager.CertificatePolicy = new MyCertificatePolicy();

    WebRequest myRequest = WebRequest.Create(myUri);
    WebResponse myResponse = myRequest.GetResponse();
    catch(WebException e)

    Hope helps. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure!
    (This posting is provided "AS IS", with no warranties, and confers no
    Steven Cheng[MSFT], May 12, 2005
    1. Advertisements

  3. Guest

    Guest Guest


    Just to confirm, a failure will occur if:

    * If the domain name does match the certificate, e.g.
    URL is:
    Certificate is:
    The request will fail?

    * If the certificate an expires on 8/1/04 and the current date is 5/12/05,
    the request will fail?

    If both are true, what error message should I look for in my Try/Catch
    statement? Thanks.
    Guest, May 12, 2005
  4. Hi Jmh,

    Thanks for your response.
    AS for the try... catch... block ,where do you put them? If you just put
    them around your webClient processing code, I don't think it will provide
    any useful info since any error occur when validting the Server Certificate
    fail will result a System.Net.WebException which only indicate that the
    underlying connection fail to establish.

    So we need to put our Custom CertificatePolicy class and put our
    interception code in the

    public bool CheckValidationResult(ServicePoint sp,
    X509Certificate cert,WebRequest req, int problem)

    method. The "int problem" is just the error code indicate what's the
    actual error that occurs. Following is the error code---error info mapping

    public enum CertificateProblem : long
    CertEXPIRED = 0x800B0101,
    CertROLE = 0x800B0103,
    CertPATHLENCONST = 0x800B0104,
    CertCRITICAL = 0x800B0105,
    CertPURPOSE = 0x800B0106,
    CertISSUERCHAINING = 0x800B0107,
    CertMALFORMED = 0x800B0108,
    CertUNTRUSTEDROOT = 0x800B0109,
    CertCHAINING = 0x800B010A,
    CertREVOKED = 0x800B010C,
    CertREVOCATION_FAILURE = 0x800B010E,
    CertCN_NO_MATCH = 0x800B010F,
    CertWRONG_USAGE = 0x800B0110,
    CertUNTRUSTEDCA = 0x800B0112

    you can also find it in the MSDN document I mentioned in the previous

    #ICertificatePolicy Interface

    If anything else unclear, please feel free to post here. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure!
    (This posting is provided "AS IS", with no warranties, and confers no
    Steven Cheng[MSFT], May 13, 2005
  5. Guest

    Jun 25, 2009
    Likes Received:
    Validating Certificate at client side in .net code

    here we can validate any certificate ?
    Also. we can validate certificate issued by verisign and other CA ?

    , Jun 25, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.