How to: Consistently Reference X.509 Certificates
You can identify a certificate in several ways: by the hash of the certificate, by the issuer and serial number, or by the subject key identifier (SKI). The SKI provides a unique identification for the certificate's subject public key and is often used when working with XML digital signing. The SKI value is usually part of the X.509 certificate as an X.509 certificate extension. Windows Communication Foundation (WCF) has a default referencing style that uses the issuer and serial number if the SKI extension is missing from the certificate. If the certificate contains the SKI extension, the default referencing style uses the SKI to point to the certificate. If mid-way through development of an application, you switch from using certificates that do not use the SKI extension to certificates that use the SKI extension, the referencing style used in WCF-generated messages also changes.
If a consistent referencing style is required regardless of SKI extension presence, it is possible to configure the desired referencing style as shown in the following code.
The following example creates a custom security binding element that uses a single consistent referencing style, the issuer name and serial number.
Public Function CreateClientBinding() As Binding Dim abe As AsymmetricSecurityBindingElement = CType(SecurityBindingElement.CreateMutualCertificateDuplexBindingElement _ (MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10), _ AsymmetricSecurityBindingElement) abe.SetKeyDerivation(False) Dim istp As X509SecurityTokenParameters = TryCast(abe.InitiatorTokenParameters, X509SecurityTokenParameters) If istp IsNot Nothing Then istp.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial End If Dim rstp As X509SecurityTokenParameters = TryCast(abe.RecipientTokenParameters, X509SecurityTokenParameters) If rstp IsNot Nothing Then rstp.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial End If Return New CustomBinding(abe, New HttpTransportBindingElement()) End Function
Compiling the Code
The following namespaces are required to compile the code:
ConceptsWorking with Certificates
© 2007 Microsoft Corporation. All rights reserved.
Last Published: 2010-03-21