Using .NET code to resolve “Remote certificate is invalid” when multi-tenant web app is configured as client in client-server model.
You can implement the server thumbprint in the .NET application code to resolve “Remote certificate is invalid” when multi-tenant web app is configured as client in client-server model and making HTTS request to a server configured with a private CA.
When a web app acts as a client and makes an HTTPS call to an external server secured by a private CA, the web app uses its default installed trusted root CA’s public key to validate the server’s certificate. However, the remote server certificate is signed by a private CA, and since there is no such trusted CA in the web app’s trusted source list, it will not be validated by the web app. You cannot modify the list of Trusted Root Certificates in multi-tenant App Service.
The lab below implements .NET code to resolve “Remote certificate is invalid”.
Prerequisites
Server
Client
Implementation
The following code is referencing below GitHub repository.
ardoric/TrustDotNET: Sample dot net web app showing how to add TLS Trusted CA via code (github.com)
The application code implements two HTTPS calls to remote server.
Lab
Test 1: remote server with server certificate signed by a well-known CA
Success: HttpClientBase
Test 2: remote server with server certificate signed by a private CA
Failed: HttpClientBase is without custom validation and private CA is not listed in trusted root CA list of web app as well.
If app service logs is enabled, you can use log stream to view the error message
You can also use the command: openssl s_client -connect emmamusic.org:443 to check remote server certificate as illustrated below.
Test 3: remote server with server certificate signed by a private CA
Success: HttpClientCustom is with a custom server certificate validation. Though the private CA is not listed in trusted root CA list of web app, it is validated in the application code by thumbprint.
Conclusion
You cannot modify in the list of Trusted Root Certificates in multi-tenant App Service; so therefore, you have 3 solutions:
Reference
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.