Can't solve the problem with certificate validation.
There's Web API server, that uses HTTPS to handle requests. Server's certificate has this certification path: RCA (root) -> ICA (intermediate) -> Web API server. RCA, ICA and Web API server are members of the same Active Directory domain.
Client application (desktop, computer is joined to the same domain) uses HttpClient to communicate with server and supports two scenarios:
Both scenarios use basic authentication.
RCA and ICA certificates are placed in "Trusted Root Certification Authorities" and "Intermediate Certification Authorities" respectively for local computer account. RCA certificate is self-signed.
Now, when client is connected to corporate network, certificate validation works as expected, and user can "talk" to Web API.
When client is disconnected (only Internet connection is available), certificate validation fails with AuthenticationException ("The remote certificate is invalid according to the validation procedure").
I don't want to turn off certificate validation completely, but just need a way to tell validation system, that this particular certificate is valid. Also, client application uses SignalR, which by default uses it's own transport. Hence, this and this are not options.
Why placing RCA an ICA certificates to "Trusted..." and "Intermediate..." folders doesn't help?
Is there any workaround?
The issue you are experiencing is because the subject CN presented by the certificate does not match the host name in the Uri.
Make sure that the certificate bound to the public IP address of the host does have a matching CN with the host name you are using to access the resource.
To easily verify, open the Url in a browser and view the certificate. The Issued to field should contain a FQDN and match the host name part in the Uri. In your case, it does not.