Windows Identity Foundation (WIF) Configuration – Part IV (Certificate Related Configuration)

The information in this post is based on Windows Identity Foundation Config.xml file that ships with WIF SDK.

<certificateValidation> controls the settings that token handlers will use to validate certificates, unless those handlers have their own validators set.


  • certificateValidationMode. X509CertificateValidationMode value that specifies the validation mode to use for the X.509 certificate. The default value is PeerOrChainTrust.
  • revocationMode. X509CertificateRevocationMode type that specifies the revocation mode to use for the X.509 certificate. The default value is Online.
  • trustedStoreLocation. X509TrustedStoreLocation type that specifies the X.509 certificate store. The default value is LocalMachine.
  • certificateValidator. A custom type that derives from System.IdentityModel.Selectors.X509CertificateValidator. If the certificateValidationMode attribute is "Custom", an instance of this type will be used by underlying handlers for certificate validation.


 <certificateValidation certificateValidationMode="PeerOrChainTrust"
                             trustedStoreLocation="LocalMachine" >

<certificateValidator> allows for a custom type to be specified for certificate validation. This type will only be used if the certificateValidationMode is set to "Custom"


  • Type. A custom type that derives from System.IdentityModel.Selectors.X509CertificateValidator.  This validator will be used by the default SecurityTokenHandler instances, unless those have their own validators set.


 <certificateValidator type="CustomType" />

<maximumClockSkew> Controls the maximum allowed clock skew when performing time-sensitive operations such as validating the expiration time of a sign-in session. Defaults to 5 minutes.


 <maximumClockSkew value="00:05:00" />

<serviceCertificate> controls the certificate used for token decryption. In the case of an Information Card relying party, this should be the SSL certificate of the web site. Any certificate that is identified must have a private key and the private key must have appropriate access control permissions so that it may be read by the application pool identity.


  <certificateReference x509FindType="FindByThumbprint"
                        storeName="My" />