Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / December 2004

Tip: Looking for answers? Try searching our database.

why does WSE fail in trusting certificate chain?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
nealboy - 01 Dec 2004 13:54 GMT
Hi everyone:
   I just set up a Web Services with using of WSE.The client signs SOAP
message with a X509 certificate and server verifies the signature in SOAP
using of WSE.
   But WSE failes in verifying the trust chain of certificate after it
recevied the SOAP message.It returnes such error: the internal cerificate
chain error.
   I had already imported the CA cerificate in certificate store that WSE
is configured to retrieve X.509 certificates from as the documents describes
and if the certificate which is used to sign is issued by MS Windows CA
based on localhost verifying of trust chain will be ok.
   Anybody can give me advices?
   Thanks

nealboy
Reply to this Message
Dan Rogers - 02 Dec 2004 01:02 GMT
Hi Nealboy,

It sounds like you are using a test root to create certificates?  Is this
correct?  In short, if the trust chain in a certificate that is received
has an entry from an untrusted root, you really can't use it across
machines.  Each machine has a certificat store that includes the root
authority credentials for each trusted root.  In a test root, there is no
trusted root (it's the local machine).

You really need to use a certificate server that has a certificate issued
by a trusted root certificate authority (you can create your own, of
course, but nobody will recognize these by default).

I hope this helps

Dan Rogers
Microsoft Corporation

--------------------
From: "nealboy" <nealboyzdn@hotmail.com>
Subject: why does WSE fail in trusting certificate chain?
Date: Wed, 1 Dec 2004 21:54:48 +0800
Lines: 18
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <usUMU161EHA.2824@TK2MSFTNGP09.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 218.19.200.10
Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:4968
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi everyone:
   I just set up a Web Services with using of WSE.The client signs SOAP
message with a X509 certificate and server verifies the signature in SOAP
using of WSE.
   But WSE failes in verifying the trust chain of certificate after it
recevied the SOAP message.It returnes such error: the internal cerificate
chain error.
   I had already imported the CA cerificate in certificate store that WSE
is configured to retrieve X.509 certificates from as the documents describes
and if the certificate which is used to sign is issued by MS Windows CA
based on localhost verifying of trust chain will be ok.
   Anybody can give me advices?
   Thanks

nealboy
Reply to this Message
nealboy - 02 Dec 2004 02:29 GMT
Dan Rogers

  Thanks for your relpy.
  It seems like that CA I uses should have a certificate issued by other
trusted root CA as your suggestion.
  But can I import the test CA root in my computer as a  Trusted Root
Certification Authority to solve this problem?In win32 development
enviorment,for example using of CAPICOM,I just do it in this way and it will
be OK.
  I also use a certificate issused by a commercial CA(the certificate is
free and testing use) and there is such a problem too.
                                                           zhang

> Hi Nealboy,
>
[quoted text clipped - 27 lines]
> NNTP-Posting-Host: 218.19.200.10
> Path:

cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> phx.gbl
> Xref: cpmsftngxa10.phx.gbl
[quoted text clipped - 16 lines]
>
> nealboy
Reply to this Message
Dan Rogers - 02 Dec 2004 21:20 GMT
Hi Neal,

I would say try, but if it fails, then you really should create a new test
root on the machine in question and use that.  I believe that test certs
are machine specific as a security precaution.

Regards

Dan

--------------------
From: "nealboy" <nealboyzdn@hotmail.com>
References: <usUMU161EHA.2824@TK2MSFTNGP09.phx.gbl>
<jHq4VqA2EHA.768@cpmsftngxa10.phx.gbl>
Subject: Re: why does WSE fail in trusting certificate chain?
Date: Thu, 2 Dec 2004 10:29:41 +0800
Lines: 75
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <e#UYIbB2EHA.2568@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 218.19.200.10
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
.phx.gbl
Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:4984
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Dan Rogers

  Thanks for your relpy.
  It seems like that CA I uses should have a certificate issued by other
trusted root CA as your suggestion.
  But can I import the test CA root in my computer as a  Trusted Root
Certification Authority to solve this problem?In win32 development
enviorment,for example using of CAPICOM,I just do it in this way and it will
be OK.
  I also use a certificate issused by a commercial CA(the certificate is
free and testing use) and there is such a problem too.
                                                           zhang

"Dan Rogers" <danro@microsoft.com> ????????
news:jHq4VqA2EHA.768@cpmsftngxa10.phx.gbl...
> Hi Nealboy,
>
[quoted text clipped - 27 lines]
> NNTP-Posting-Host: 218.19.200.10
> Path:

cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> phx.gbl
> Xref: cpmsftngxa10.phx.gbl
[quoted text clipped - 10 lines]
>     I had already imported the CA cerificate in certificate store that WSE
> is configured to retrieve X.509 certificates from as the documents
describes
> and if the certificate which is used to sign is issued by MS Windows CA
> based on localhost verifying of trust chain will be ok.
>     Anybody can give me advices?
>     Thanks
>
> nealboy
Reply to this Message
Dilip Krishnan - 04 Dec 2004 17:34 GMT
Hello nealboy,
  You would need to add your certificate to the Trusted roots store, not
the one WSE is configured to look
HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com

> Hi everyone:
> I just set up a Web Services with using of WSE.The client signs
[quoted text clipped - 17 lines]
> Thanks
> nealboy
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.