Bypass invalid SSL certificate errors when calling web services in .Net
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
When calling HTTPS web services in .NET, the runtime validates the server's SSL/TLS certificate. If the certificate is self-signed, expired, or has a domain mismatch, the call fails with an AuthenticationException or WebException. During development and testing, you may need to bypass this validation. In .NET Framework, you set ServicePointManager.ServerCertificateValidationCallback. In .NET Core/.NET 5+, you configure HttpClientHandler.ServerCertificateCustomValidationCallback. Both approaches should only be used in development — disabling certificate validation in production exposes your application to man-in-the-middle attacks.
.NET Core / .NET 5+ (HttpClient)
DangerousAcceptAnyServerCertificateValidator is a built-in callback that accepts any certificate. The name intentionally signals that this is unsafe for production.
Custom Validation Callback
A custom callback lets you accept specific certificates (by thumbprint or subject) while rejecting others. This is safer than accepting all certificates.
.NET Framework (ServicePointManager)
ServicePointManager.ServerCertificateValidationCallback is a global static property — it affects every HTTPS request in the process. This is the .NET Framework approach; .NET Core should use HttpClientHandler instead.
WCF Client
Environment-Based Configuration
Using IHttpClientFactory with environment checks ensures SSL bypass only applies in development and only to specific named clients.
Adding a Self-Signed Certificate as Trusted
Trusting the certificate at the OS level or certificate store is safer than bypassing validation entirely.
Common Pitfalls
- Using ServicePointManager in .NET Core:
ServicePointManager.ServerCertificateValidationCallbackhas no effect in .NET Core/.NET 5+. It only works in .NET Framework. UseHttpClientHandler.ServerCertificateCustomValidationCallbackinstead. - Leaving bypass enabled in production: Disabling certificate validation in production allows man-in-the-middle attacks. Use environment checks (
IsDevelopment()) or compiler directives (#if DEBUG) to ensure the bypass only applies in development. - Global callback affecting all requests:
ServicePointManager.ServerCertificateValidationCallbackapplies to every HTTPS request in the process, including third-party libraries and internal .NET calls. UseHttpClientHandlerper-client instead of the global callback. - Not checking the specific certificate: Accepting all certificates (
return true) is the least secure approach. If possible, validate the certificate thumbprint or subject to accept only the specific self-signed certificate you expect. - Ignoring the real fix: The best solution is usually to install a proper certificate. Use Let's Encrypt for free trusted certificates, or add your self-signed CA to the machine's trusted root store. Bypassing validation should be a temporary development measure, not a permanent solution.
Summary
- .NET Core/.NET 5+: use
HttpClientHandler.ServerCertificateCustomValidationCallbackper client - .NET Framework: use
ServicePointManager.ServerCertificateValidationCallback(global, affects all requests) - Gate SSL bypass with
IsDevelopment()or#if DEBUGto prevent production exposure - Prefer trusting the specific certificate (by thumbprint or CA) over accepting all certificates
- The best long-term fix is a proper certificate from a trusted CA or adding your CA to the trust store

