Could not create SSL/TLS secure channel - Could the problem be a proxy server?

Asked 21/10, 2009 at 13:9 Answered 12/5, 2022 at 14:44

I have a c# app that calls a web service method that authenticates using a certificate. The code works, because when it is installed on server A (without a proxy) it authenticates.

When I install the code on server B, at client site, its installed behind a proxy. I've really tried almost everything but I keep getting this error:

Could not create SSL/TLS secure channel

Do you think this issue can be caused by a proxy server? If you've had any personal experience with this please share.

Thanks

Characterization answered 21/10, 2009 at 13:9 Comment(0)

In my experience, nearly all such messages are due to some machine in the chain (client, proxy, server) not "liking" a certificate for some reason.

To elaborate on what twk said, if you're using self-signed certificates, or your own CA, you need to install the signing cert in the trusted authorities store on the server at least, and possibly on the proxy.

Common problems I've encountered:

The certificate on the server is not signed by an authority that the PROXY or the CLIENT trusts
The certificate on the CLIENT is not signed by an authority that the PROXY or the SERVER trusts
Oops, I forgot to export the private key when I created the cert to be installed on the client
My process does not have read permissions to the private key on the client
The client certificate is password protected and I didn't specify credentials when reading the certificate.

Manciple answered 21/10, 2009 at 14:3 Comment(0)

I was having the same problem. In my case the certificates need the Network service access. You can check by

Open certificate MMC
Navigate to Certificates (Local Computer) > Personal > Certificates
Right click on your certificate and select All Tasks> Manage Private Keys… from the context menu
Set the appropriate permission

Shapiro answered 4/12, 2014 at 19:23 Comment(3)

YES! I had the same issue and this solved it for me. Thank you thank you thank you! – Sacramentalist 5/10, 2017 at 14:40

Thank you so much! Superhero! – Androecium 29/3, 2019 at 12:5

this helped me! Thanks! – Infirm 15/4, 2019 at 23:38

If your certificate is not trusted (is self signed) then C# client will refuse to connect.

Griskin answered 21/10, 2009 at 13:19 Comment(1)

You can buy a cert from Verisign (or Thawte, etc.), but it won't be trusted unless Verisign's signing key is in the "Trusted Root Certification Authorities" keystore. Now, in the case of most major CAs, the signing key is already there. However, that's NOT a guarantee. You should definitely check! At the very least, load up the certificate manager and double click on the key and go to the "certification path" tab and make sure it says "This certificate is OK." And, on the client side, you should also see "You have a private key that corresponds to this certificate" on the General tab. – Manciple 22/10, 2009 at 21:8

Add this to the constructor:

ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Fredia answered 12/5, 2022 at 14:44 Comment(0)

My answer is similar to that of Snakebyte. In my case the certificate's private key needs the IIS_IUSRS user access.

Open certificate MMC
Right click on your certificate and select All Tasks> Manage Private Keys… from the context menu
Add the IIS_IUSRS user and set the appropriate permissions.

Audley answered 31/5, 2021 at 13:39 Comment(0)

Recommended topics

Hot tags