Problem

Currently users only have 2 options for dealing with Server SSL/TLS Certificates with Invoke-WebRequest and Invoke-RestMethod: the default validation and to skip validation. Some scenarios warrant tighter security on web requests where a certificate is not fully trusted by the host environment but is known to be trusted by the user. This could include internal web APIs that use a self signed certificate with a specific thumbprint or from a known CA that is not trusted by the host. Or if a user wishes to ensure a certain CA/Thumbprint/Subject is blocked (a known bad actor).

Also [System.Net.ServicePointManager]::ServerCertificateValidationCallback has no effect in Core and HttpClient only uses the settings provided by HttpClientHandler.

Proposal

Add a parameter of type Func<HttpRequestMessage,X509Certificate2,X509Chain,SslPolicyErrors,Boolean> that accepts a ScriptBlock to both Web Cmdlets. This is to be set on HttpClientHandler.ServerCertificateCustomValidationCallback. The -SkipCertificateCheck would have priority, meaning if both were supplied either a parameter exception is thrown or -SkipCertificateCheck would be applied and the callback ignored.

The Parameter will be named CertificateValidationScript

For consideration

• What to name this parameter?
• Throw or no throw on clash with -SkipCertificateCheck?