How to: Specify the Certificate Authority Certificate Chain Used to Verify Signatures

  • Article

When WSE receives a SOAP message signed using an X.509 certificate, by default it verifies that the X.509 certificate was issued by a trusted certificate authority (CA). This is done by looking in a certificate store and determining if the certificate for that CA has been designated as trusted. In order for WSE to make this determination, the CA certificate chain must be installed in the correct certificate store.

To install a CA certificate chain

  • For each CA that a SOAP message recipient intends to trust X.509 certificates issued from, install the CA certificate chain into the certificate store that WSE is configured to retrieve X.509 certificates from.

    For instance, if a SOAP message recipient intends to trust X.509 certificates issued by Microsoft, the CA certificate chain for Microsoft must be installed in the certificate store that WSE is set up to look for X.509 certificates from. The certificate store that WSE looks in is controlled by the <x509> Elementconfiguration element. Because Windows ships with a set of default certificate chains for trusted CAs, it may not be necessary to install the certificate chain for all CAs.

    1. Export the CA certificate chain.
      Exactly how this is done depends on the CA. If the CA is running Microsoft Certificate Services, select Download a CA certificate, certificate chain, or CRL, and then choose Download CA certificate.
    2. Import the CA certificate chain.
      In the MMC, open the Certificates snap-in. For the certificate store that WSE is configured to retrieve X.509 certificates from, select the Trusted RootCertification Authoritiesfolder. Under the Trusted Root Certification Authorities folder, right-click the Certificatesfolder, point to All Tasks, and then click Import. Provide the file exported in Step A.
      For more information about configuring which certificate store WSE is configured to retrieve X.509 certificates from, see <x509> Element. For more information about using the Certificates snap-in with the MMC, see Managing X.509 Certificates.

See Also

Tasks

How to: Obtain an X.509 Certificate
How to: Use the X.509 Certificate Management Tools
How to: Make X.509 Certificates Accessible to WSE
X.509 Certificate Tool (WseCertificate2.exe)

Other Resources

X.509 Certificate
Managing X.509 Certificates