MSDN Documentation

.NET APIs - Networking - System.Net.Security

CertificatePolicy Class

System.Net.Security

This class is used to define custom certificate validation policies for network connections, particularly when using SSL/TLS.

Summary

The CertificatePolicy class provides a mechanism for applications to override the default X.509 certificate validation behavior used by the .NET Framework's networking classes, such as SslStream. This is often necessary in scenarios where self-signed certificates are used, or custom validation logic is required.

By implementing a custom certificate policy, developers can control whether a given certificate is considered valid for a specific network connection, allowing for more flexibility in secure communication setups.

Syntax


public static class CertificatePolicy
{
    // Methods
    public static bool CheckCertificateRevocationStatus(
        System.Security.Cryptography.X509Certificates.X509Certificate certificate
    );
    public static bool CheckValidationResult(
        string hostName,
        System.Security.Cryptography.X509Certificates.X509Certificate certificate,
        System.Security.Cryptography.X509Certificates.X509Chain chain,
        System.Net.Security.SslPolicyErrors sslPolicyErrors
    );
    public static void SetPolicy(
        System.Net.Security.ICertificatePolicy policy
    );
}

Members

Methods

Member Description
CheckCertificateRevocationStatus(X509Certificate certificate)

Determines whether the specified certificate has been revoked. This method is called by the .NET Framework to check the revocation status of a certificate.
CheckValidationResult(string hostName, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)

This is the core method that applications override to implement custom certificate validation logic. It is called when a certificate needs to be validated for a network connection.

  • hostName: The hostname of the server to which the client is connecting.
  • certificate: The X.509 certificate presented by the server.
  • chain: The X.509 chain of certificates used to establish trust.
  • sslPolicyErrors: Any errors encountered during the default validation process.

The method should return true if the certificate is considered valid for the connection, and false otherwise.
SetPolicy(ICertificatePolicy policy)

Sets the custom certificate policy to be used for validating server certificates. The provided policy object must implement the ICertificatePolicy interface.

Interfaces

Interface Description
System.Net.Security.ICertificatePolicy

An interface that must be implemented by custom certificate policy classes. It defines the CheckValidationResult method.

Remarks

The CertificatePolicy class is a static class, meaning you don't create instances of it. Instead, you interact with its static members.

To use custom certificate validation, you typically perform the following steps:

  1. Define a class that implements the ICertificatePolicy interface.
  2. Implement the CheckValidationResult method within your custom class to define your validation logic.
  3. Call the static SetPolicy method, passing an instance of your custom policy class.

Note: In modern .NET versions (.NET Core and later), the CertificatePolicy class and the ICertificatePolicy interface are considered obsolete. For new development, it is recommended to use the HttpClientHandler.ServerCertificateCustomValidationCallback property or the SslClientAuthenticationOptions.RemoteCertificateValidationCallback property, which provide more granular control and a modern approach to certificate validation.

Example

The following example demonstrates how to set a custom certificate policy that accepts any certificate for testing purposes. Do not use this in production environments.


using System;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

// Define a custom policy that accepts any certificate
public class TrustAllCertificatesPolicy : ICertificatePolicy
{
    public bool CheckValidationResult(
        string hostName,
        X509Certificate certificate,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors)
    {
        // In this example, we ignore all errors and trust the certificate.
        // This is insecure and should only be used for testing or development.
        return true;
    }
}

public class CertificatePolicyExample
{
    public static void Main(string[] args)
    {
        // Set the custom certificate policy
        CertificatePolicy.SetPolicy(new TrustAllCertificatesPolicy());

        Console.WriteLine("Custom certificate policy has been set.");
        Console.WriteLine("Note: This example uses an insecure policy and is for demonstration only.");

        // You would typically proceed with an SSL/TLS connection here,
        // and it would now use your custom policy.
        // For instance:
        // using (var client = new TcpClient("your.server.com", 443))
        // using (var sslStream = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateServerCertificate)))
        // {
        //     // ... SSL handshake ...
        // }
    }

    // A sample callback that might be used in modern .NET (not directly with CertificatePolicy)
    // public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    // {
    //     if (sslPolicyErrors == SslPolicyErrors.None)
    //         return true;
    //
    //     Console.WriteLine("Certificate error: " + sslPolicyErrors);
    //     return false; // Do not allow this connection
    // }
}

Requirements

Requirement Details
Namespace System.Net.Security
Assembly System.dll
.NET Framework versions Supported in: 4.8, 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, 4.6, 4.5.2, 4.5.1, 4.5, 4.0, 3.5, 3.0, 2.0