Re: why does WSE fail in trusting certificate chain?

From: Dan Rogers (danro_at_microsoft.com)
Date: 12/02/04 

Date: Thu, 02 Dec 2004 21:20:57 GMT

Hi Neal,

I would say try, but if it fails, then you really should create a new test
root on the machine in question and use that. I believe that test certs
are machine specific as a security precaution.

Regards

Dan

--------------------
From: "nealboy" <nealboyzdn@hotmail.com>
References: <usUMU161EHA.2824@TK2MSFTNGP09.phx.gbl>
<jHq4VqA2EHA.768@cpmsftngxa10.phx.gbl>
Subject: Re: why does WSE fail in trusting certificate chain?
Date: Thu, 2 Dec 2004 10:29:41 +0800
Lines: 75
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Message-ID: <e#UYIbB2EHA.2568@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: 218.19.200.10
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
phx.gbl
Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:4984
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Dan Rogers

   Thanks for your relpy.
   It seems like that CA I uses should have a certificate issued by other
trusted root CA as your suggestion.
   But can I import the test CA root in my computer as a Trusted Root
Certification Authority to solve this problem?In win32 development
enviorment,for example using of CAPICOM,I just do it in this way and it will
be OK.
   I also use a certificate issused by a commercial CA(the certificate is
free and testing use) and there is such a problem too.
                                                            zhang

"Dan Rogers" <danro@microsoft.com> дÈëÓʼþ
news:jHq4VqA2EHA.768@cpmsftngxa10.phx.gbl...
> Hi Nealboy,
>
> It sounds like you are using a test root to create certificates? Is this
> correct? In short, if the trust chain in a certificate that is received
> has an entry from an untrusted root, you really can't use it across
> machines. Each machine has a certificat store that includes the root
> authority credentials for each trusted root. In a test root, there is no
> trusted root (it's the local machine).
>
> You really need to use a certificate server that has a certificate issued
> by a trusted root certificate authority (you can create your own, of
> course, but nobody will recognize these by default).
>
> I hope this helps
>
> Dan Rogers
> Microsoft Corporation
>
> --------------------
> From: "nealboy" <nealboyzdn@hotmail.com>
> Subject: why does WSE fail in trusting certificate chain?
> Date: Wed, 1 Dec 2004 21:54:48 +0800
> Lines: 18
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> Message-ID: <usUMU161EHA.2824@TK2MSFTNGP09.phx.gbl>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> NNTP-Posting-Host: 218.19.200.10
> Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
> phx.gbl
> Xref: cpmsftngxa10.phx.gbl
> microsoft.public.dotnet.framework.webservices.enhancements:4968
> X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
>
> Hi everyone:
> I just set up a Web Services with using of WSE.The client signs SOAP
> message with a X509 certificate and server verifies the signature in SOAP
> using of WSE.
> But WSE failes in verifying the trust chain of certificate after it
> recevied the SOAP message.It returnes such error: the internal cerificate
> chain error.
> I had already imported the CA cerificate in certificate store that WSE
> is configured to retrieve X.509 certificates from as the documents
describes
> and if the certificate which is used to sign is issued by MS Windows CA
> based on localhost verifying of trust chain will be ok.
> Anybody can give me advices?
> Thanks
>
>
> nealboy
>
>
>

Relevant Pages

  • Re: Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
    ... If a subordinate chains to a trusted root CA, ... Best bet is for your to read the certificate revocation and status checking whitepaper that describes how certificates are verified. ...
    (microsoft.public.windows.server.security)
  • Re: invalid certificate
    ... You need to designate your root CA as a trusted root for all clients. ... you should have used a certificate that chained to a commercial root CA. ... The best purpose for internal CAs is for WEb sites that are *only* connected to by internally managed clients. ... but when users connect to the OWA site the certificate cannot be installed into the trusted root CA. ...
    (microsoft.public.security)
  • Re: Schannel CertificateChainValidation failing
    ... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
    ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...
    (microsoft.public.windows.server.security)
  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)