iis security:
We have an online root CA and two online subordinate CA's. These are not
enterprise CA's. Two of the CA's are standalone servers and one is a domain
member server. Issued certificates will be used for data encryption. A COM
object is used to request certificates on behalf of our users (CAPI and
CAPICOM). We call this object from an ASP page on an internal web server and
give the resulting pfx file (PKCS12) to a user for installation on their
workstation. When they execute the file, it places their personal
certificate in their personal store, the subordinate server certificate in
the Intermediate Certificate Authority store and the root CA certificate in
the Trusted Root store. All certificates are shown as valid and the personal
certificate shows that the user has a private key that corresponds to their
personal certificate.
To test, we set up a new internal web server with access to all three CA's.
We set a web site on that server to require SSL, require client certificates
and use a certificate trust list that included only our root certificate
server. When clients connected, they were prompted by IE to select a
certificate to send. The certificate we issued to them was the only
certificate listed as valid. The web server accepted this certificate and
allowed the users to view content.
Our deployment web server is separated from our CA's by a firewall and
cannot communicate with those servers. Since this box cannot reach the
CA's, I set up a second site on this box where I placed copies of the
CRL's and CRT's from all three CA's. I modified all three CA's to list this
as a CRL distribution point. I issued new client certificates and checked
that the new distribution point was listed in the properties for the entire
chain.
Test users connect to a secure site on the deployment web server. This site
is currently set to require SSL and to require a client certificate, but not
to use a certificate trust list. When users connect, Internet Explorer
notifies them that the site requires a client certificate and gives them a
list of valid certificates to select from. This list is empty. Why? How can
I get the server to recognize the user's certificate? When I log into the
deployment server as an administrator I see our root CA listed as a trusted
root. The same happens with a certificate trust list.
I've read Q257586, Q257587, Q257591 and many others, but can find no
specifics on what information from the web server identifies potentially
valid certificates to the browser. Can anybody shed some light on this?
