could not create ssl/tls secure channel web service

Solved! Go to solution
API_Products
Visa Developer Support Specialist

Re: could not create ssl/tls secure channel web service

Hey @juan,

 

What programming language are you trying to test hello world in?  You can use Postman , SOAP UI or VDP Playground tool to test the APIs. Please see user guides below for respective tools.
 
Postman – https://developer.visa.com/pages/working-with-visa-apis/two-way-ssl#testing_twoway_ssl_connectivity_... 
 
SOAP UI – https://developer.visa.com/pages/working-with-visa-apis/two-way-ssl#testing_twoway_ssl_connectivity_... 
 
VDP Playground – https://community.developer.visa.com/t5/Developer-Tools/How-to-test-and-troubleshoot-APIs-with-the-V... 

 




Thanks,

Diana H.



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

suresh1101
Regular Visitor

Re: could not create ssl/tls secure channel web service

If one of your ASP.NET applications need to access to a certificate from the certificate store along with its private key, you'll probably run into trouble. The private key is saved in a special file with an unguessable name. It's not readable for everyone (for obvious reasons). The lack of file access is not very intuitive, as you can see the certificate in the Certificate MMC snap-in, and it will claim that "this certificate has a corresponding private key". You'll still have to give the application pool's user read access to the key.


There are some differences in how to do this for the 2008 R2 and the 2003 server, here's a short explanation and some useful resources for both versions.

Windows 2008 R2 server
On the 2008 R2 server, the lack of read access to the private key will manifest itself as this exception: 

Exception Details: System.Security.Cryptography.CryptographicException: Keyset does not exist

A notable new feature in the 2008 R2 server (with IIS 7.5) is that applications pools run under their own user. You need to figure out which identity the application pool is running as, e.g.: IIS AppPool\DefaultAppPool

The security properties of the private key file can be set through the certificate MMC snap-in. (Start -> run -> "mmc" -> Add snap-in -> Certificates -> Local Machine/Personal cert store). You need to give the application pool user read access to the private key file.

Note: the 2008 server (not R2) uses the same user execution model as the 2003 server, keep reading if you have one of those.

Windows 2003 server
On the 2003 server, the exception is even less informative than on the 2008 R2.

Exception Details: System.Security.Cryptography.CryptographicException: The handle is invalid.

The challenge is still the lack of read access to the private key. Here's an explanation on how to use the WSE tool to adjust the private key's security settings. You can also check out Microsoft's findprivatekey.exe tool.

You'll probably need to give the user NETWORKSERVICE read access to the private key file, unless you've changed the application pool user defaults.

 

mysubwaycard . mygiftcardsite

Clyde23
Regular Visitor

Re: could not create ssl/tls secure channel web service

McDVOICE


@manuel wrote:

Hi everyone. Need some help over here.

As some of you faced before, I'm currently facing the same issue when consuming visa sandbox api from a C# console code (the sample project downloaded from visa). I know I have set the certificate correctly because it works perfectly when I consume the API from SoapUi. I've tried setting explicitly to use the TLS 1.2, but still does not work.

 

Thanks in advance


 


Problem solved, Seems a Intermediate Certificate was missing, Imported it into Intermediate Certificates in MMC, and all was good 🙂

API_Products
Visa Developer Support Specialist

Re: could not create ssl/tls secure channel web service

Hi @Clyde23,

 

Thanks for letting us know that your issue is resolved and how you resolved it. Excited to hear your making great progress and look forward to receiving your Going Live request submission.        

 

Feel free to share with us any other solutions that come along the way, as we will be interested to be part of your code testing and Going Live journey. Have a good day!

 

 

                     




Thanks,

Diana H.



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.