| Groups | Blog | Home |
dotnet security : How to validate client certificate?
I'm looking for information on how to programmatically validate a
client certificate. I found this article http://support.microsoft.com/kb/315588/ but it stops short in describing how to actually validate the cert. HttpClientCertificate cert = Request.ClientCertificate; if (cert.IsPresent) certDataLabel.Text = cert.Get("SUBJECT O"); else certDataLabel.Text="No certificate was found."; I can get this part working. However, when I revoke the certificate it is still present and would allow the user in. I'm looking for how to say something like: if (cert.IsNotRevoked) Do Something(); How do you check that the client certificate is not revoked? Interact with the CA and the CRL programmatically? Thanks in advance!
Thanks for your reply. Well I'm using 1.1 and 2.0 in different
projects so I actually need both. The IsValid property is true but it remains true even if I revoke the cert (we are our own ca). I was surprised at this (although perhaps it is cached somewhere). My app presents sensitive data so if I revoke a cert I need it to deny the user at that very moment. Is IsValid the only thing people are doing or is there a more thorough approach to validating the certs? Thanks again. [quoted text, click to view] Dominick Baier wrote:
> Which .NET Version? > > What's the value of the IsValid property? > > > > --- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > I'm looking for information on how to programmatically validate a > > client certificate. > > > > I found this article http://support.microsoft.com/kb/315588/ but it > > stops short in describing how to actually validate the cert. > > > > HttpClientCertificate cert = Request.ClientCertificate; > > if (cert.IsPresent) > > certDataLabel.Text = cert.Get("SUBJECT O"); > > else > > certDataLabel.Text="No certificate was found."; > > I can get this part working. However, when I revoke the certificate > > it is still present and would allow the user in. I'm looking for how > > to say something like: > > > > if (cert.IsNotRevoked) > > Do Something(); > > How do you check that the client certificate is not revoked? Interact > > with the CA and the CRL programmatically? > > > > Thanks in advance! > >
Which .NET Version?
What's the value of the IsValid property? --- Dominick Baier, DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > I'm looking for information on how to programmatically validate a > client certificate. > > I found this article http://support.microsoft.com/kb/315588/ but it > stops short in describing how to actually validate the cert. > > HttpClientCertificate cert = Request.ClientCertificate; > if (cert.IsPresent) > certDataLabel.Text = cert.Get("SUBJECT O"); > else > certDataLabel.Text="No certificate was found."; > I can get this part working. However, when I revoke the certificate > it is still present and would allow the user in. I'm looking for how > to say something like: > > if (cert.IsNotRevoked) > Do Something(); > How do you check that the client certificate is not revoked? Interact > with the CA and the CRL programmatically? > > Thanks in advance! >
The ideal thing would be to get IIS to check the revocation of the
certificate for you. If that was to happen, the user would never authenticate in the first place and your code would never run. I'm not sure exactly how you configure SSL in IIS to do this though. There is probably either a metabase or registry setting somewhere. I am pretty sure that schannel in Windows 2003 can check CRLs though. If you want to do this in code, the X509Chain class in .NET 2.0 can be used to try to verify this sort of thing. You don't have good options in .NET 1.1 (p/invoke to the crypto API). Best of luck! Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "JT" <jtaylor1024@gmail.com> wrote in message news:1156551193.771065.276480@m79g2000cwm.googlegroups.com... > Thanks for your reply. Well I'm using 1.1 and 2.0 in different > projects so I actually need both. The IsValid property is true but it > remains true even if I revoke the cert (we are our own ca). I was > surprised at this (although perhaps it is cached somewhere). My app > presents sensitive data so if I revoke a cert I need it to deny the > user at that very moment. > > Is IsValid the only thing people are doing or is there a more thorough > approach to validating the certs? > > Thanks again. > > > > Dominick Baier wrote: >> Which .NET Version? >> >> What's the value of the IsValid property? >> >> >> >> --- >> Dominick Baier, DevelopMentor >> http://www.leastprivilege.com >> >> > I'm looking for information on how to programmatically validate a >> > client certificate. >> > >> > I found this article http://support.microsoft.com/kb/315588/ but it >> > stops short in describing how to actually validate the cert. >> > >> > HttpClientCertificate cert = Request.ClientCertificate; >> > if (cert.IsPresent) >> > certDataLabel.Text = cert.Get("SUBJECT O"); >> > else >> > certDataLabel.Text="No certificate was found."; >> > I can get this part working. However, when I revoke the certificate >> > it is still present and would allow the user in. I'm looking for how >> > to say something like: >> > >> > if (cert.IsNotRevoked) >> > Do Something(); >> > How do you check that the client certificate is not revoked? Interact >> > with the CA and the CRL programmatically? >> > >> > Thanks in advance! >> > >
Yeah,
there is a reg setting for IIS to check CRLs... Can't find it at the moment - google should be your friend. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > The ideal thing would be to get IIS to check the revocation of the > certificate for you. If that was to happen, the user would never > authenticate in the first place and your code would never run. I'm > not sure exactly how you configure SSL in IIS to do this though. > There is probably either a metabase or registry setting somewhere. I > am pretty sure that schannel in Windows 2003 can check CRLs though. > > If you want to do this in code, the X509Chain class in .NET 2.0 can be > used to try to verify this sort of thing. You don't have good options > in .NET 1.1 (p/invoke to the crypto API). > > Best of luck! > > Joe K. >
Thanks. I think I may have found it but I still need to confirm. I
got it to work manually using certutil -crl which publishes the crl. I can issue a cert, get into the app, revoke the cert, call certutil, then I can't get in. It looks like there are a couple of other things in order to automate it effectively... First, how often the server publishes the crl, and second, how often the client checks the crl. There appear to be pros and cons to consider in terms of performance when setting these intervals. Revoking certificates and publishing CRLs http://technet2.microsoft.com/WindowsServer/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.mspx?mfr=true Schedule the publication of the certificate revocation list http://technet2.microsoft.com/WindowsServer/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.mspx?mfr=true CertCheckMode Metabase Property (IIS 6.0) http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0c08d268-1634-4486-8382-b735e295b3aa.mspx?mfr=true RevocationFreshnessTime Metabase Property (IIS 6.0) http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a7540ad3-0a18-41b8-81e0-43523a92347d.mspx?mfr=true
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |