无法为 SSL/TLS 安全通道建立信任关系 - SOAP 服务

Question

I have a SOAP web service inside that I am calling a third party secured web service (it was HTTP earlier now they secured it). they have valid SSL certificate. while calling the third party service I am getting below error,

Server was unable to process request. ---> The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

There are few articles which says TSL 1.2 should be enabled, to check about TSL further, I have below component on my server,

Here is third party service call,

Can someone guide me, where should I setup trust relationship? Do I need to modify my code or just some configurations changes needed

Answer 1

There is a process of exchanging the public key of the service certificate during the secure communication. Therefore, we should establish the trust relationship between the client-side and the server-side. As for mutual certification authentication, we should establish the trust relationship each other.
Trust relationship represents the certificate is valid, the server is real and secure. Namely, it represents this is a validation of the server's identity. This also could be accomplished by the below code segments.

//adding below code segments to ignore the service certificate validation.
            ServicePointManager.ServerCertificateValidationCallback += delegate
            {
                return true;
            };
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Ssl3;

More commonly, this should be finished by installing the service Root certificate in the local Trusted Certification Authorities.

To get the certificate you can either,

1. 1, Ask the service vendor for it, you can ask for the Root CA certificate, you can authorize all the servers you need at once;
2. Use a web browser to get the certificate. Access the service creation page with HTTPS( https://localhost:xxxx/xxx.svc ). Then use the web browser options to export the certificate to a .cer file.
   Install the certificate.
   Double-click the.cer file to install the certificate. Choose Local Computer, then choose Trusted Root Certification Authorities.

Here is a detailed step.
https://success.outsystems.com/Support/Enterprise_Customers/Installation/Install_a_trusted_root_CA__or_self-signed_certificate
Feel free to let me know if there is anything I can help with.

Answer 2

In addition to Abraham post above, make sure that that IIS has enough access to the certificates. We faced the issue and at first, it seemed like the app could access the certificates but that wasn't the case. We fixed it by going to the Manage Certificates -> Personal -> Certificates -> Right Click the certificate -> All tasks -> Manage Private Keys -> Add -> Grant Access to "Everyone" (testing only, you should only grant access to IIS). The connection worked after doing this.