Using the Account Service Certificate Store with .NET 2.0 HttpWebRequest
I have a Windows.net 2.0 service application written in C # that accesses a soapless web service over SSL using HttpWebRequest. My Windows service is running under the NETWORK SERVICE account.
I can make SSL work by issuing a certificate to the web server that the windows service is running from from the CA and then installing the CA certificate in the Local Machine \ trusted root store.
What I would like to do is install the CA certificate in the "service account" root trust store instead of the "local machine" store and do this "just work".
In other words, it seems like the SSL authentication used by the .net framework is hardcoded to check the current user store and local machine store for trusted roots when checking the SSL certificate, but is there any clean way to get it to verify the "account service "instead of (or in addition to) other stores?
The only solution I can think of is to override ServicePointManager.ServerCertificateValidationCallback and then P / Invoke to the Crypto API to open the "service account" certificate store in Win32 and manually look for the root directory there. I would rather not do this as it would look like a pretty big performance penalty and had to wait for 2 certifying stores to fail, which I have no intention of using at all.
Perhaps I am using a completely wrong approach here, but it seems to me that I just cannot solve my problem.
If your code is controlling the server it is talking to, then why don't you just return "true" from the CertValidationCallback? Is it not as if the server certificate changes every time you make a request?
If you really need a system to check for other things related to the certificate like CRL, expiration, etc., you can just get it to work by doing a certificate authentication callback.
If you really want to install a certificate in the a / c NETWORK_SERVICE context, then Microsoft tools will help you with this.
http://support.microsoft.com/kb/901183 http://web.asu.edu/community/installing-client-certificate-windows-machine http://www.derkeiler.com/Newsgroups/microsoft.public. dotnet.security/2008-03/msg00011.html
Good luck!
source to share