WSE3003: The certificate's trust chain could not be verified

Question

I am writing a system that consumes a public web service. I'm consuming the web service using VS2008 and classic .NET Framework 2.0 Web Services technology. My problem is not consuming the web service or calling it's operations.

The problem is when I get the response back from the operation it is signed and behind-the-scenes the generated proxy starts verifying the signature. And at that time I get the WSE3003 error. I (think I) have loaded the service certificate into my LocalComputer/TrustedPeople certificate storage and when I look at it's certificate path I can see that all is ok:

VeriSign Class 3 Public Primary CA
     www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97...
          servcert.there.com

But I keep getting the following exception:

Microsoft.Web.Services3.ResponseProcessingException: WSE910: An error happened during the processing of a response message, and you can find the error in the inner exception. You can also find the response message in the Response property. ---> Microsoft.Web.Services3.Security.SecurityFault: The security token could not be authenticated or authorized ---> System.Security.SecurityException: WSE3003: The certificate's trust chain could not be verified. Please check if the certificate has been properly installed in the Trusted People Certificate store. Or you might want to set allowTestRoot configuration section to true if this is a test certificate.

The following code probably doesn't compile and I have removed some of the sensitive stuff but here is the idea behind how I do my part:

// Construct the wse proxy
MyServiceWse wsClient = new MyServiceWse();

// Assign the credentials
UsernameToken userToken = new UsernameToken("user", "pass", PasswordOption.SendPlainText);
wsClient.SetClientCredential(userToken);
wsClient.RequestSoapContext.IdentityToken = userToken;

// Find the client and service certificates
X509Certificate2 clientCert = MyCertificateManager.FindCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, "mycert.here.com");
X509Certificate2 serviceCert = MyCertificateManager.FindCertificate(StoreLocation.LocalMachine, StoreName.TrustedPeople, "servicecert.there.com");

// Add the policy to the proxy
Policy policy = new Policy();
MySecurityClientAssertion assertion = new MySecurityClientAssertion();
assertion.SetServiceCertificate(serviceCert);
assertion.SetClientCertificate(clientCert);
policy.Assertions.Add(assertion);
wsClient.SetPolicy(policy);

// Assign the service URL and call an operation
wsClient.Url = "https://services.there.com/TheirService.asmx";
TheirOperationResponse r = wsClient.CallTheirOperation();

I sure hope my code is wrong because I can understand that a lot better than the certificate storage and trust chain stuff. Any help would be great. Thanks for you efforts.

Answer 1

If the problem is with the chain then all the other certificates need to be in the cerificate store too.

So let's start from the top; start up MMC and add the Certificate Management snap-in and point it to the local computer account.

Now in the trusted root authority check "VeriSign Class 3 Public Primary CA" is there, and matches the root CA in the certificate you are trying to use. (it should be there, that's a standard one).

Next check that www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97... is in the intermediate certificate authorities store. On my machine there are two of these, one of which is expired.

If they're both there then you need to look at the certificate chain a little closer. Load the web service in your browser and see what certificate error you get from the browser. If you continue onto the site you'll be able to click the SSL icon and work your way up the chain. Click the padlock and choose view certificates. Then choose the certification path tab. Hopefully there you'll see the chain, and problem certs highlighted (I can't find a problem web site right now, so I can't remember what it looks like). Choose the lowest one and see what the error is by highlighting it and clicking view certificate. You may find it's just an expired cert or something like that.