Convince WCF To Trust Self-Signed Certificates

When using Self-Signed Certificates in a WCF Service, you may receive the error

SecurityNegotiationException was unhandled: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘localhost:8080’ (your service’s url may be different).

A common cause for the exception is due to the fact that the WCF runtime does not trust Self-Signed Certificates by default. It is, however, possible to override this default behavior.

First we will create a class that does the work of convincing the WCF runtime that our Self-Signed Certificate is trusted.

using System.Security.Cryptography.X509Certificates;
using System.Net;

namespace WindowsClient
    class PermissiveCertificatePolicy
        //The name of the certificate
        string subjectName;
        static PermissiveCertificatePolicy currentPolicy;

        PermissiveCertificatePolicy(string subjectName)
            this.subjectName = subjectName;

            //Set the ServerCertificateValidationCallback property to our custom validator method
            ServicePointManager.ServerCertificateValidationCallback +=
              new System.Net.Security.RemoteCertificateValidationCallback(RemoteCertValidate);

        public static void Enact(string subjectName)
            currentPolicy = new PermissiveCertificatePolicy(subjectName);

        bool RemoteCertValidate(object sender, X509Certificate cert, X509Chain chain, System.Net.Security.SslPolicyErrors error)
            //This is our custom validator method. The methods signature is defined simply to satisfy the 
            //RemoteCertificateValidationCallback delegate. 
            //Our custom validator will ignore the parameters and simply return true to convince the WCF runtime
            //that the self-signed certificate can be trusted.
            return true;

Now that we have a class that can override WCF’s rejection of a Self-Signed Certificate, we will have the client use that class prior to instantiating the service proxy.

private void InstantiateServiceProxy()
            //Convince WCF that our Self-Signed Certificate is trusted

            //Instantiate the service proxy using the basicHttpBinding
            proxy = new MyWcfService("MyEndpoint_BasicHttp");

2 thoughts on “Convince WCF To Trust Self-Signed Certificates

  1. Hi there,

    I am attempting to use this code for a self-signed cert issue but I am getting:

    The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

    This is a fundamentally different error or is it in the same vien as the error you are addressing?



    • I have, personally, never received the error that you mentioned but it certainly is in the same vein as the “Could not establish trust relationship” error that this post speaks of.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s