Using Azure SDK 2.3 on my vs2013 development VM I can consume Service Bus queues hosted in Azure painlessly. However, on Windows Server 2008 R2 Standard SP1, it looks like Windows can not trust the involved certificates and an exception is thrown.

The line that throws :

// Send the message
await queueclient.SendAsync(message);

Exception message :

The X.509 certificate is not in the trusted people store. The X.509 certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

The CAPI2 logs (attached below) pointed to a trust issue so I compared certificates installed on both machines. The following certificates are absent on the server :

Intermediate Certification Authorities > Microsoft Internet Authority (Issued by Baltimore CyberTrust Root)

Intermediate Certification Authorities > MSIT Machine Auth CA 2 (Issued by Microsoft Internet Authority)

The questions :

  1. Where does the certificates come from?
  2. Why are they missing from the server?
  3. How to fix this issue?

Possible trails (updated) :

  1. Install Azure SDK 2.3 for Visual Studio 2013 on the server
  2. Install all Windows Updates on the server

I tried :

  <add key="Microsoft.ServiceBus.X509RevocationMode" value="NoCheck"/>

CAPI2 Verify Chain Policy event :

CAPI2 Build Chain event :

CAPI2 X509 Objects event :

The missing certificates were responsible for the exception.

I haven't been able to find the certificates online and I'm still unsure of how EXACTLY they managed to install themselves BUT I think I have an idea..

How we managed to obtain the certificates? We isolated the Service Bus messaging code into a console application and executed it with admin rights on the production server. The certificates installed themselves automatically in the process.

Perhaps our application pool, running under ApplicationPoolIdentity with limited permissions was not allowing Windows to download or install the certificates.

This link seems to offer related information :

Update : You can download the certificate chain here.


To eliminate certificate trust issues from Service Bus for Windows Server, use the following:

Create a list of the certificates you trust:

    var trustedCertificates = new HashSet<string>(new[]
    }, StringComparer.OrdinalIgnoreCase);

Trust those:

    ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, errors) =>
        if (errors == SslPolicyErrors.None)
            return true;

        var hashString = certificate.GetCertHashString();
        var isTrusted = trustedCertificates.Contains(hashString);

        if (!isTrusted)
            telemetryClient.TrackTrace($"Untrusted: {hashString} Errors: {errors} Cert: {certificate.ToString()}", SeverityLevel.Warning);

        return isTrusted;

Calm Service Bus down too:

    private static void SetCertificateValidator()
        var retriableCertificateValidatorType = Type.GetType("Microsoft.ServiceBus.Channels.Security.RetriableCertificateValidator, Microsoft.ServiceBus", true, false);
        var instanceProperty = retriableCertificateValidatorType.GetProperty("Instance", BindingFlags.Static | BindingFlags.NonPublic);
        var instance = instanceProperty.GetValue(null);

        var peerOrChainTrustNoCheck = retriableCertificateValidatorType.GetField("peerOrChainTrustNoCheck", BindingFlags.Instance | BindingFlags.NonPublic);
        peerOrChainTrustNoCheck?.SetValue(instance, new EmptyOpX509CertificateValidator());

    private sealed class EmptyOpX509CertificateValidator : X509CertificateValidator
        public override void Validate(X509Certificate2 certificate)