Web Services: Could not establish trust relationship for the SSL/TLS.

The problem


It is frequent that you will need to either consume web references or expose web services that are called in secure HTTP (HTTPS). In that situation, you may run into problems if the certificate you are using in your web server, or the certificate in the server exposing the service you are consuming, are not issued by a trustworthy authority.


In such cases, you may be presented with an error similar to the one below:


  • Server was unable to process request. ---> The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

This scenario becomes more frequent in the non-productive environments - it is frequent that companies purchase certificates for the production servers, but install self-issued certificates for the other staging environments.




To overcome this error, you need to install the certificate that is used by the web service provider in the server that will be calling the web service.


  • If you are consuming a service provided by a third-party vendor in your OutSystems Application, then you need to install the certificate from the third-party vendor in the OutSystems server;
  • If you are exposing a service for a third-party entity, then they need to install your certificate in their server.


Obtaining the certificate


To obtain the certificate, you can either:

  1.  Ask the vendor for it (you can ask them for the Root CA certificate, so you can at once authorize all the servers from them you might need);
  2.  Obtain it yourself: using Internet Explorer or other browser, you can obtain the certificate yourself if you access any HTTPS page on the server, and then use the appropriate browser options to export the certificate to a .cer file.

Installing the certificate


In Windows 2003, certificate installation can be done by using the follwing procedure:


  1. Open Microsoft Management Console (Start --> Run --> mmc.exe);
  2. Choose File --> Add/Remove Snap-in;
  3. In the Standalone tab, choose Add;
  4. Choose the Certificates snap-in, and click Add;
  5. In the wizard, choose the Computer Account, and then choose Local Computer. Press Finish to end the wizard;
  6. Close the Add/Remove Snap-in dialog;
  7. Navigate to Certificates (Local Computer)
  8. Choose a store to import:
    1. If you have the Root CA certificate for the company that issued the certificate, choose Trusted Root Certification Authorities;
    2. If you have the certificate for the server itself, choose Other People
  9. Right-click the store and choose All Tasks --> Import
  10. Follow the wizard and provide the certificate file you have;

After that, simply restart IIS and try calling the web service again.

you can use the httprequest without any issues, right?

I need to Post/Get some stuff over a ssl.
I have installed the certifcates afaik correctly, but I still get the issue.

I had this same error in Prod that was resolved by republishing the application holding the webservice! Issue appeared out of nowhere and was not reproducible in Test or Dev. SSL certificates did not change.

i am using outsystems cloud. my id is darshanranganatha.outsystemscloud.com.

Now, when i am trying to add the rest services which is hosted on azure (it is a secure website having a self-signed certificate), it is not able to execute the rest api.

Its giving an error The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

what to do here??/