<x509> Element

Specifies where WSE looks for X.509 certificates and specifies how to verify them.

<microsoft.web.services3> Element
  <security> Element

<x509
   allowTestRoot="true|false" 
   revocationMode="NoCheck|Offline|Online"
   skiMode="CAPI|IssuerSerial|RFC3280|ThumbprintSHA1"
   storeLocation="CurrentUser|LocalMachine"
   verificationMode="ChainOnly|TrustedPeopleOnly|TrustedPeopleOrChain"
   verifyTrust="true|false" />

Attributes and Elements

Attributes

Attribute Description

allowTestRoot

Optional attribute. Specifies whether WSE modifies the trust verification process to allow X.509 certificates signed by a test root to pass the verification. The default is false. Valid only when the verifyTrust attribute is true.

revocationMode

Optional attribute. Specifies whether WSE does URL retrieval during certificate revocation checking. Possible values are NoCheck, Offline, and Online.

NoCheck

No revocation check is performed on the certificate.

Offline

A revocation check is made using a cached certificate revocation list (CRL).

This is equivalent to setting the AllowRevocationUrlRetrieval attribute to false in WSE 2.0.

Online

A revocation check is made using an online certificate revocation list (CRL). This is equivalent to setting the AllowRevocationUrlRetrieval attribute to true in WSE 2.0.

The default value is Online. Valid only when the verifyTrust attribute is true.

skiMode

Optional attribute. Specifies the algorithm that WSE uses to compute the value of the subject key identifier that is associated with X.509 certificates. Possible values are RFC3280, CAPI, IssuerSerial, and ThumbprintSHA1. ThumbprintSHA1 is the default value.

CAPI

Uses the Microsoft Cryptography API (CAPI) to compute the subject key identifier. This is the default algorithm for WSE 2.0.

RFC3280

Uses an RFC 3280 compliant algorithm.

IssuerSerial

Specifies a reference to a security token that is not included in the SOAP message.

ThumbprintSHA1

Creates a SHA1 hash of the public key, as specified in the WS-Security 1.1 specification. This is the default algorithm for WSE 3.0

storeLocation

Optional attribute. Specifies where WSE searches for X.509 certificates when it attempts to retrieve or verify a certificate. Typically, a client application sets the storeLocation attribute to CurrentUser and an XML Web service sets it to LocalMachine. The default is LocalMachine.

This attribute also specifies the certificate store that the CA certificate chain is retrieved from during the signature verification process. The signature verification process verifies the integrity of the signature when a signed SOAP message is received. If the SOAP message recipient is an XML Web service, then WSE always retrieves the CA certificate chain from the LocalMachine, unless the process identity for ASP.NET (ASPNET by default) is changed to an account with log-on permissions. The identity of the ASP.NET is specified in the <processModel> element. See the <processModel> topic in the .NET Framework documentation.

verificationMode

Optional attribute. Specifies whether WSE searches the TrustedPeople certificate store before verifying the certificate chain. Possible values are ChainOnly, TrustedPeopleOnly, and TrustedPeopleOrChain.

ChainOnly

WSE verifies the certificate chain by building a certificate trust chain and accesses the network to do URL retrieval, as needed.

TrustedPeopleOnly

WSE verifies the certificate by searching the TrustedPeople certificate store.

TrustedPeopleOrChain

WSE verifies the certificate by searching the TrustedPeople certificate store and then by building a certificate trust chain. The certificate is trusted if it passes either verification method.

The default value is TrustedPeopleOrChain. Valid only when the verifyTrust attribute is true.

verifyTrust

Optional attribute. Specifies whether WSE verifies that X.509 certificates that are used to sign a message have an issuer chain that extends to a trusted root authority. The default is true.   

Child Elements

None.

Parent Elements

Element Description

<security> Element

Controls the security settings for a WSE application.

Remarks

Before adding the <x509> element to a configuration file, you must add the microsoft.web.services3 configuration section handler to the configuration file. For details about adding the microsoft.web.services3 configuration section handler, see <section> Element.

When the client application is an ASP.NET Web form, it might be preferable to use the Local Machine certificate store. By default, an ASP.NET Web form runs under the ASPNET account, which has an auto-generated password. This can make it difficult to log into the account and install X.509 certificates. If the X.509 certificates are placed in the Local Machine certificate store, then any administrator on the computer can install the certificates.

Example

The following code example specifies that WSE retrieves X.509 certificates from the CurrentUser certificate store and also specifies that certificates signed by a test root pass verification.

<configuration>
  <microsoft.web.services3>
    <security>
      <x509 storeLocation="CurrentUser"
            verifyTrust="true" 
            allowTestRoot="true" />
    </security>
  </microsoft.web.services3>
</configuration>

See Also

Tasks

X.509 Certificate Tool

Other Resources

Managing X.509 Certificates
X.509 Certificate