Search code examples
c#securityssliisswish

Implementing Swedish Swish payment - C# - Could not create SSL/TLS secure channel - Certificate signing request

As described in this question I'am able to connect with Swish using their test account and test certificate.

C# HttpClient with X509Certificate2 - WebException: The request was aborted: Could not create SSL/TLS secure channel

However when using my own generated certificate I still get the generic error Could not create SSL/TLS secure channel using C# HttpClient.

I have been following these guides for Swish certificate administration:

https://www.getswish.se/content/uploads/2015/11/Guide-Certifikatsadministration_20151210.pdf

https://www.getswish.se/content/uploads/2015/06/Guide-Swish-API-170324-utan-%C3%A4ndringsmarkering.pdf

Since we are using IIS I created the certificate signing request using this: IIS -> Server Certificates -> Create Certificate Request…. I choose Microsoft RSA Schannel Cryptographic Provider with a bit length of 2048 since the documentation says it should be PKCS#10 with 2048-bit RSA key. My theory is that I'm doing something wrong here. Since we are developing this now and the application is not running on a domain name yet I set Common Name to localhost. Could this be the problem and If so what value should I put there for it to work from our environments? The test certificate works without a problem as I mentioned before.

After this I pasted the value from the file created at the service https://getswishcert.bankgirot.se/ and got a PKCS#7-file back (.p7b, also tried with .pem).

I then wen't to IIS -> Server Certificates -> Complete Certificate Request… to import the file.

When imported the Certification Path and everything else looks good as far as I can tell. enter image description hereenter image description here

I also tried exporting the certificate to .pfx via MMC -> Select certificate -> right click -> All Tasks -> Export. Choose to export it with private key and password protected. Then imported it under Certificates - Current User. I can then choose the certificate in Chrome but I get the error `ERR_SSL_PROTOCOL_ERROR. The test certificate works in Chrome as well.

Solution

  • Turned out the certificate was OK. The problem was that the application was trying to connect to https://mss.swicpc.bankgirot.se/ (test environment) with the live certificate instead of https://swicpc.bankgirot.se/ (live).

    Found with logging from here.