<x509> Element
Specifies where WSE looks for X.509 certificates and specifies how to verify them.
<microsoft.web.services2> Element
<security> Element
<x509
storeLocation="LocalMachine|CurrentUser"
verifyTrust="true|false"
allowTestRoot="true|false"
allowRevocationUrlRetrieval="true|false"
allowUrlRetrieval="true|false" />
Attributes and Elements
Attributes
| Attribute | Description |
|---|---|
storeLocation |
Optional attribute. Specifies where WSE searches for X.509 certificates when it attempts to retrieve or verify a certificate. Typically, a client application sets the storeLocation attribute to CurrentUser and an XML Web service sets it to LocalMachine. The default is LocalMachine. This attribute also specifies the certificate store the CA certificate chain is retrieved from during the signature verification process. The signature verification process verifies the integrity of the signature when a signed SOAP message is received. If the SOAP message recipient is an XML Web service, then WSE always retrieves the CA certificate chain from the LocalMachine, unless the process identity for ASP.NET (ASPNET by default) is changed to an account with log-on permissions. The identity of the ASP.NET is specified in the <processModel> element. See the <processModel> topic in the .NET Framework documentation. |
verifyTrust |
Optional attribute. Specifies whether WSE verifies that X.509 certificates used to sign a message have an issuer chain that extends to a trusted root authority. The default is true. |
allowTestRoot |
Optional attribute. Specifies whether WSE modifies the trust verification process to allow X.509 certificates signed by a test root to pass the verification. The default is false. Only valid when the verifyTrust attribute is true. |
allowRevocationUrlRetrieval |
Optional attribute. Specifies whether WSE does URL retrieval during certificate revocation checking. When it is set to false, revocation checking only accesses cached URLs and does not access the network to do any revocation URL retrieval. The default value is true. Only valid when the verifyTrust attribute is true. |
allowUrlRetrieval |
Optional attribute. Specifies whether WSE does URL retrieval during certificate trust chain construction. When this attribute is set to false, only cached URLs are used in building a certificate trust chain, and WSE does not access the network to do any URL retrieval. The default value is false. Only valid when the verifyTrust attribute is true. |
Child Elements
None.
Parent Elements
| Element | Description |
|---|---|
Controls the security settings for a WSE application. |
Remarks
Before adding the <x509> element to a configuration file, you must add the microsoft.web.services2 configuration section handler to the configuration file. For details about adding the microsoft.web.services2 configuration section handler, see <section> Element (WSE for Microsoft .NET).
When the client application is an ASP.NET Web form, it might be preferable to use the Local Machine certificate store. By default, an ASP.NET Web form runs under the ASPNET account, which has an auto-generated password. This can make it difficult to log into the account and install X.509 certificates. If the X.509 certificates are placed in the Local Machine certificate store, then any administrator on the computer can install the certificates.
Example
The following code example specifies that WSE retrieves X.509 certificates from the CurrentUser certificate store and also specifies that certificates signed by a test root pass verification.
<configuration>
<microsoft.web.services2>
<security>
<x509 storeLocation="CurrentUser"
verifyTrust="true"
allowTestRoot="true" />
</security>
</microsoft.web.services2>
</configuration>
See Also
Tasks
X.509 Certificate Tool (WseCertificate2.exe)