When using WCF (or ASMX) over SSL you may run into the error Could not establish trust relationship for the SSL/TLS secure channel with authority 'YourServerHere:Port'
. There are a number of reasons this might happen but the first thing to check is that the SSL certificate for your server is valid for that domain. One quick way to check is to pop to endpoint URL in Internet Explorer and if you get this:
You can then contine to the website and click the padlock/certificate button at the top right you should see exactly why:
(Note these screenshots are from IE8
There are a number of ways to fix this:
- Change the endpoint address in your client configuration to point to the issued to domain and not the invalid one (or IP address)
- If for some reason you can't do step 1, you could add an entry to your HOSTS file that makes the issued to domain point to the appropriate domain and then go to back to step 1
- Or.. you can modify your client's code to skip certificate verification entirely using the System.Net.ServicePointManager. See the example code below.
ExampleServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(
, that this is a dangerous implementation as it doesn't verify certificates at all. ServicePointManager is a WinInet level concept and beyond the boundaries of WCF (so this change would affect all requests from that AppDomain!) - be very careful with this stuff.
Thanks to my colleague Zulfiqar
for his help with this.
05 Mar 2009
» Next Post:
TF03177: Team Project Creation Failed
« Previous Post:
Creating reusable Entity Framework queries thanks to deferred execution
Comments are closed for this post.
22 Jun 2009
I have SSL certificated issued for my domain, I added an entry to host file to point same domain to my local IP, I can open my service file from browser without any problem or security warning, but the problem is that the base address of the service returned as computer name not domain name, for example I open the service from this address (https://www.domain.com/service.svc
) but the address displayed on the service page is (https://computername/service.svc?wsdl
) and this causes my client application to give the error you mentioned here. How can I solve this issue?
04 Aug 2009
Very very useful for us. I had been sitting withis issue for a week now and changing the URL to have certificate name rather than IP address solved my issue like magic.. :)
07 Jun 2010
I faced this problem right now, and I try to find what is the problem. My Certificate is created over my custom Certificate Authority, which runs on a Win2003 Server. Both the CA, and the Certificate for the SSL port is installed to the client machine. The "Issued to" field of the Certificate which I use to authenticate the port is "My SSL Certificate" - so I cannot use this in the url. Or this could be the problem? Should be the Certificate named like the domain that I use?
Hope you can help!
17 Jun 2011
I had the same issue. Point #1 did resolved my issue.
It works for sure.
Thanks for sharing.
20 Sep 2011
Thank you for your post, guess it saved me hours of searching!!!