How to: Specify the Certificate Authority Certificate Chain Used to Verify Signatures (WCF)

When Windows Communication Foundation (WCF) receives a SOAP message signed using an X.509 certificate, by default it verifies that the X.509 certificate was issued by a trusted certificate authority. This is done by looking in a certificate store and determining if the certificate for that certificate authority has been designated as trusted. In order for WCF to make this determination, the certificate authority certificate chain must be installed in the correct certificate store.

To install a certificate authority certificate chain

  • For each certificate authority that a SOAP message recipient intends to trust X.509 certificates issued from, install the certificate authority certificate chain into the certificate store that WCF is configured to retrieve X.509 certificates from.

    For instance, if a SOAP message recipient intends to trust X.509 certificates issued by Microsoft, the certificate authority certificate chain for Microsoft must be installed in the certificate store that WCF is set up to look for X.509 certificates from. The certificate store in which WCF looks for X.509 certificates can be specified in code or configuration. For example, this can be specified in code using the SetCertificate method or in configuration a few ways, including the <serviceCertificate> of <clientCredentials> Element .

    Because Windows ships with a set of default certificate chains for trusted certificate authorities, it may not be necessary to install the certificate chain for all certificate authorities.

    1. Export the certificate authority certificate chain.

      Exactly how this is done depends on the certificate authority. If the certificate authority is running Microsoft Certificate Services, select Download a CA certificate, certificate chain, or CRL, and then choose Download CA certificate.

    2. Import the certificate authority certificate chain.

      In the Microsoft Management Console (MMC), open the Certificates snap-in. For the certificate store that WCF is configured to retrieve X.509 certificates from, select the Trusted Root Certification Authorities folder. Under the Trusted Root Certification Authorities folder, right-click the Certificates folder, point to All Tasks, and then click Import. Provide the file exported in step a.

      For more information about using the Certificates snap-in with MMC, see How to: View Certificates with the MMC Snap-in.

See Also

Concepts

Working with Certificates


© 2007 Microsoft Corporation. All rights reserved.
Build Date: 2009-08-07