How can I use a client certificate with a missing CA to communicate with a external Web service?

Question

I have a client certificate but I am unable to obtain the public key CA that is the issuer. When I view it in Certificates MMC, Windows cannot verify the issuer. I need to communicate with an external java web service that requires the certificate.

I created a sample console app that utilized the certificate through the binding and it works perfectly. I am now moving that configuration and code into an IIS-hosted WCF web service. I have hit a roadblock in that I can't seem to get past the error:

Could not establish trust relationship for the SSL/TLS secure channel with authority '[url]'

The only difference between the two applications seems to be in the domain that it is running. I'm sure that the issue is with validating the client certificate on my side and it's not attempting to make a connection with the external java service. What is the best way around this as I've already asked for the public key CA, only to be turned down?

Can I override the validation in WCF or tweak IIS in order to make this work?

Answer 1

After banging my head against the wall and searching through stack trace keywords I came across a post about the private key certificate file and IIS needing access to this.

I set Read permission on the certificate file in the:

C:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys

and that resolved my issue.

Answer 2

You can override the check by adding a callback to ServicePointManager.ServerCertificateValidationCallback . The easiest callback would be

static void Main()
{
    ServicePointManager.ServerCertificateValidationCallback = ValidateRemoteCertificate;

    // ...
    Application.Run(new MyForm());
}

private static bool ValidateRemoteCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    return true;
}