When a .Net client tries to connect to EMS on SSL, it receives the error, "The remote certificate is invalid according to the validation procedure".
Article ID: KB0091545
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
Cause
=========
The error indicates that server authentication has failed.
Resolution
==========
Check the following:
1). The .Net client is required to do server authentication. Refer to SOL1-B05W00 for how to import certificate to the certificate store on a Windows machines.
2). Open the certificate in MMC and make sure it is shown to be a valid certificate.
3. The.NET SSLStream requires a targetHost to be specified. You will need to include ssl_target_hostname in your application. Make sure that the name matches CN in the server certificate.
4. The .NET SSLStream conforms to RFC 6125: Representation and Verification of Domain-Based Application Service Identity within Internet Public Key nfrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). Therefore if the certificate has Subject Alternative Name (SAN) extensions of DNS type, the target host name must be included in the SAN.
Environment
============
Windows
Keywords
============
Validation procedure SSL CN .Net Subject Alternative Name.
Cause
=========
The error indicates that server authentication has failed.
Resolution
==========
Check the following:
1). The .Net client is required to do server authentication. Refer to SOL1-B05W00 for how to import certificate to the certificate store on a Windows machines.
2). Open the certificate in MMC and make sure it is shown to be a valid certificate.
3. The.NET SSLStream requires a targetHost to be specified. You will need to include ssl_target_hostname in your application. Make sure that the name matches CN in the server certificate.
4. The .NET SSLStream conforms to RFC 6125: Representation and Verification of Domain-Based Application Service Identity within Internet Public Key nfrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS). Therefore if the certificate has Subject Alternative Name (SAN) extensions of DNS type, the target host name must be included in the SAN.
Environment
============
Windows
Keywords
============
Validation procedure SSL CN .Net Subject Alternative Name.
Issue/Introduction
When a .Net client tries to connect to EMS on SSL, it receives the error, "The remote certificate is invalid according to the validation procedure".
Additional Information
http://tools.ietf.org/html/rfc6125
http://social.msdn.microsoft.com/Forums/en-US/4ca67aa4-8c65-43d7-8dca-a1e251e044f1/net-sslstream-authenticateasclient-what-is-targethost?forum=netfxbcl
http://social.msdn.microsoft.com/Forums/en-US/4ca67aa4-8c65-43d7-8dca-a1e251e044f1/net-sslstream-authenticateasclient-what-is-targethost?forum=netfxbcl
Feedback
Yes
No
Powered by
