WSE 3.0 Trust chain error - how do i view what certificate is being sent back? I want to know what cert has the trust chain error.

views:

217

answers:

WSE 3.0 Trust chain error - how do i view what certificate is being sent back? I want to know what cert has the trust chain error.

I'm having a trust chain error when I receive my response in WSE 3.0.

Their cert is fine when I grab the WSDL. Their cert is fine when I connect. It likes my public cert when I send the XML request.

What WSE doesn't like is the token in the response. Microsoft.Web.Service3 calls getelement, then loadbinarysecuritytoken, but then checks the chain and doesn't like what it sees.

I'd like to know what token it doesn't like. I'm not sure how to see what the token is. It's binary data so HttpAnalyzer doesn't help much.

I can't fix the issue until I have full knowledge of what's wrong. Are they sending me the wrong cert? Is it just a cert I don't have and need to add to my personal trust? What?

+1 A:

You must know which certificates are involved right? Usually a client certificate and a server certificate. It sounds to me as if the the client cannot validate the server certificate that was used to sign the message the client receives. If you are using self signed certificates then you should try to add that certificate to the trusted root CA's certificate folder on the client machine. If your client is a service then you have to put it under LocalMachine (assuming the service is running as Network Service) otherwise put it under CurrentUser. Hope this points you in the right direction.

klausbyskov 2009-12-03 15:53:29

I know what certificate I'm *expecting* to get back from the server. The issue is that I'm not sure if that's the actually certificate in the SOAP message.The SOAP message is processed by core .NET code. It's a binary stream in the soap message. WSE decrypts the soap message into a certificate object, then processes it. If this was the certificate I was expecting, it wouldn't crash.The question is - what certificate am I actually **getting**. How do I figure that out?

diadem 2009-12-03 15:57:22

To sum up: Unfortunately, no. I don't know what cert I'm getting back. That's the issue. I know what's on the header of the ssl request but I don't know what the signature is in the soap message itself.

diadem 2009-12-03 15:58:23

Do you have access to the server's ssl certificate? Because if you do you can use wireshark, decrypt the traffic, see the raw soap messages, get the base64 string of the certificate's public key, and the load it into an x509Certificate2 instance and look at it.

klausbyskov 2009-12-03 16:05:17

Does it work if you change your certificatechainvalidation rule on the client to none ?

klausbyskov 2009-12-03 16:08:30

It's been years since I worked with WSE3, I'm just trying to help you think out of the box here ....

klausbyskov 2009-12-03 16:09:55

Yes. I can see the soap message fine. Is the field I'm supposed to look at the BinarySecurityToken message? What's the best way to convert that into an x509Certificate2 object?

diadem 2009-12-03 16:10:02

If i turn off Verify Trust it works fine.

diadem 2009-12-03 16:10:58

I got it, thanks to you. I just needed to convert the string I found in HTTPanalyzer to a bytearray and pass it in as a new object.Thanks!

diadem 2009-12-03 17:02:38

Unfortunately, now I have another issue - the certificate *is* valid. It's the same one I've been getting the whole time. It's in root cert auth. It's in personal certs. It's just being denied.

diadem 2009-12-03 17:03:37

SOLUTION: The verify didn't fail locally because it was looking in CurrentUser, where the cert existed. For a **single** verify call, it switches to MyComputer instead of CurrentUser. The cert needed to be added to MyComputer.

diadem 2009-12-03 18:29:26

Hey, that's great. Happy to help.

klausbyskov 2009-12-03 20:26:53

ansaurus

tags:

views:

answers:

WSE 3.0 Trust chain error - how do i view what certificate is being sent back? I want to know what cert has the trust chain error.

related questions