CertificatePolicy Class
Namespace: System.Net.Security
public abstract class CertificatePolicy
Defines the interface that custom certificate policy classes must implement to provide custom certificate validation logic.
Note: The CertificatePolicy class is obsolete. Use the SslClientAuthenticationContext or SslServerAuthenticationContext classes instead.
Remarks
When you use an SslStream to communicate with a server, the stream must validate the server's certificate. This validation process is managed by the CertificatePolicy class. By default, .NET Framework uses a built-in policy that checks if the certificate is valid and trusted by the system. However, you can create your own custom policy by inheriting from CertificatePolicy and overriding its methods to implement specific validation rules. This is useful in scenarios where you need to trust certificates from internal CAs, self-signed certificates, or certificates with specific subject names.
It is important to note that the CertificatePolicy class and its related functionality are considered obsolete in modern .NET development. For newer applications, especially those targeting .NET Core and later versions, it is recommended to use the more flexible and secure mechanisms provided by the SslClientAuthenticationContext and SslServerAuthenticationContext classes. These newer classes offer better control over authentication and certificate handling.
Implementation Notes
To create a custom certificate policy, you need to:
- Derive a new class from
CertificatePolicy. - Override the
GetCertificatemethod. This method is called by theSslStreamwhen it needs to validate the server's certificate. - Implement your custom validation logic within the overridden
GetCertificatemethod. This logic can include checking certificate properties like the subject name, issuer, validity dates, or custom extensions. - Set the custom policy by assigning an instance of your custom class to the static
System.Net.Security.CertificatePolicy.CertPolicyproperty before establishing an SSL/TLS connection.
Example:
public class CustomCertificatePolicy : System.Net.Security.CertificatePolicy
{
public override System.Security.Cryptography.X509Certificates.X509Certificate GetCertificate(string host, int port)
{
// Implement custom certificate validation logic here.
// For demonstration, let's assume we want to accept any certificate.
// In a real-world scenario, you would inspect the certificate properties.
// Placeholder for fetching or validating the actual certificate.
// For simplicity, this example doesn't fetch a real certificate.
// You might load a specific certificate from a store or file,
// or use the one provided by the server and validate it.
Console.WriteLine($"Validating certificate for {host}:{port}");
// Returning null indicates failure to provide a valid certificate.
// Returning a valid X509Certificate indicates success.
// A more robust implementation would involve certificate validation.
// Example: If you had a specific trusted certificate:
// return new X509Certificate("path/to/your/trusted.cer");
// For basic testing, you might allow any certificate temporarily,
// but this is NOT recommended for production.
// In a real scenario, you would likely inspect the provided certificate
// and return it only if it meets your criteria.
// For the purpose of demonstrating the mechanism without external dependencies:
// Let's simulate returning a null certificate to indicate the policy is being invoked.
// A real policy would return a valid certificate or throw an exception/return null based on validation.
return null; // Indicate that custom validation logic would be applied here.
}
}
// To use the custom policy:
// System.Net.Security.CertificatePolicy.CertPolicy = new CustomCertificatePolicy();
// Then proceed with establishing an SslStream connection.
Members
| Member | Description |
|---|---|
CertPolicy Property |
public static CertificatePolicy CertPolicy { get; set; }Gets or sets the custom certificate policy. |
GetCertificate Method |
public abstract X509Certificate GetCertificate(string host, int port)Provides a custom certificate validation implementation. |