Hi Jason,

Thanks for your posting. I've also seen your another thread in the
framework.webservices newsgroup. I've posted my response  to your #2
question in that one. Regarding on the other two questions you mentioned
here, here are some of my understandings:

#1. For "exchange X509 certificates in a secure fashion?" , I'm not sure
why you'd like to make cert exchange secure because X509 cert is used to
publish public key which doesn't care whether it'll be accessed by any
unexpected guys. So we can just publish our public key certifciate in what
ever means we like.

#3. For "how to alert expiry certificates", this is somewhat related to the
security components your application is calling. For example, when using
WSE, the wse's security related class library will do the expiration
checking. We can find the settings for this in the WSE2.0 vs.net addin's  
"WSE Certificate Settings" section.  Or you can directly find the
<x509> Element  under the WSE's configuration file which contains the
attributes used to configure the certificate related settings.

When we are directly using API to accessing certificate store and
retrieving certificate, we need to manually call the API which will verify
the trust path or expiration.

Thanks,

Steven Cheng
Microsoft Online Support

--------------------
From: <jason.chen@newsgroups.nospam>
Subject: X509 certificate distribution, storage and exiry alert
Date: Tue, 30 Aug 2005 11:20:05 -0400
Lines: 26
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.326
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
Message-ID: <uVzTOZXrFHA.908@tk2msftngp13.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:4750
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi, does Microsoft provide any recommendation on how to distribute X509
certificate?
Reason I'm asking is that server has to send the client its public key
before client can send an encrypted request to the server, so we have to
provide a way to our client so that they can upload their X509 public key to
us. can Microsoft provide some suggestion how to exchange X509 certificates
in a secure fashion?

my second question is can X509 certificates be stored in a central location
instead of on individual server? The reason I'm asking is, we are hosting
our application in a cluster environment, in order for our servers to
communicate to our client, each computer in our cluster has to install our
client's X509 certificate, and everytime certificate expires, each computer
has to install with the new certificate, is there a way we can store the
certificate in a central location, so that each computer can load the
certificate from the central location and use it to encrypt the message?

my third question is, does Microsoft have any recommendation on how to alert
expiry certificates? once everything starts working, what's the process of
monitoring the certificate expirying time? we can not affort if service
stops working.

thanks,
-jason