| Groups | Blog | Home |
iis security : Client certificate beginners help!
I am new to understanding certificates and I have looked at a mass of information on the web, but I am still not clear as to what I need to progress. We have created a web application, which is to be accessed by our clients (about 10). We have purchased a server certificate from Verisign so the website is accessed over SSL. The clients need to login to the website using userid/password etc, however we would like a further security mechanism such as a client certificate. The idea would be to issue each client with a certificate on a CD which would be unique to that client, which they would then install. I have created a CA server which is seperate from our web server. I installed this as a standalone Root CA. I can then browse to http://caserver/certserv and request an advanced certificate which I complete with the clients details. I can then import this certificate into Internet Explorer certificates under the Personal tab. I am sure there is more I need to do, but am not sure where to start. I have heard about Chains, and using a company certificate to sign your own, but am not sure how to go about doing this. Any help would be appreciated.
[quoted text, click to view]
On Sep 24, 2:36 am, zzgfz...@trashmail.net wrote: > Hi > > I am new to understanding certificates and I have looked at a mass of > information on the web, but I am still not clear as to what I need to > progress. > > We have created a web application, which is to be accessed by our > clients (about 10). We have purchased a server certificate from > Verisign so the website is accessed over SSL. The clients need to > login to the website using userid/password etc, however we would like > a further security mechanism such as a client certificate. > > The idea would be to issue each client with a certificate on a CD > which would be unique to that client, which they would then install. > > I have created a CA server which is seperate from our web server. I > installed this as a standalone Root CA. I can then browse tohttp://caserver/certservand request an advanced certificate which I > complete with the clients details. I can then import this certificate > into Internet Explorer certificates under the Personal tab. > > I am sure there is more I need to do, but am not sure where to start. > I have heard about Chains, and using a company certificate to sign > your own, but am not sure how to go about doing this. > > Any help would be appreciated. > > Many thanks in advance. Actually, you have all of the pieces correct. The only thing you have to do is to install the public key of your CA server's signing key into the Trusted Root store of your Web Server. You can easily obtain this public key from the CA server by downloading the CER/PVK file containing the "complete trust chain" instead of just the CER file at the end. Here's the quick explanation of what's going on: 1. Your CA server has a web site which issues client certificates signed with the CA server's private key. 2. You import this signed client certificate onto the web browser's machine, which allows it to be sent as client certificate for SSL authentication 3. When the server gets this client certificate, it NEEDS to trust the public key which signs the client certificate -- this trust is what allows the server to believe that the client is who they say they are, which is the point of Client Certificate Authentication. You've already done #1 and #2. Step #3 requires that you install the public key of the CA server's signing key into the Trusted Root store of your web server to complete the trust chain. You don't need company certificates, nor chains, etc. Yes, they can establish the same missing trust as above but through a different route. I'm just telling you the most direct route which costs nothing because it is the cheapest, hassle-free way to correctly complete the trust that you need for SSL Client Certificate Authentication. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang //
Many thanks for your reply David. It makes sense in theory, however could you please explain to me how I download the public key from the CA server as I cannot find the option. Sorry to seem thick!!! [quoted text, click to view] >
>Actually, you have all of the pieces correct. The only thing you have >to do is to install the public key of your CA server's signing key >into the Trusted Root store of your Web Server. You can easily obtain >this public key from the CA server by downloading the CER/PVK file >containing the "complete trust chain" instead of just the CER file at >the end. > >Here's the quick explanation of what's going on: >1. Your CA server has a web site which issues client certificates >signed with the CA server's private key. >2. You import this signed client certificate onto the web browser's >machine, which allows it to be sent as client certificate for SSL >authentication >3. When the server gets this client certificate, it NEEDS to trust the >public key which signs the client certificate -- this trust is what >allows the server to believe that the client is who they say they are, >which is the point of Client Certificate Authentication. > >You've already done #1 and #2. Step #3 requires that you install the >public key of the CA server's signing key into the Trusted Root store >of your web server to complete the trust chain. > >You don't need company certificates, nor chains, etc. Yes, they can >establish the same missing trust as above but through a different >route. I'm just telling you the most direct route which costs nothing >because it is the cheapest, hassle-free way to correctly complete the >trust that you need for SSL Client Certificate Authntication. > > >//David >http://w3-4u.blogspot.com >http://blogs.msdn.com/David.Wang >//
Actually, the public key is very easy to obtain.
Double click on the Client Certificate CER file that you've download. Navigate to "Certification Path" tab and click on the root certificate (it's going to have a red X through it since it's not trusted). View that Certificate, then choose to Install Certificate. It'd be analogous to intentionally doing the installation. With Microsoft Cert Server, I paste in the filename of the advanced request that I generated and hit "next". I arrive at /certsrv/certfnsh.asp which issues the client certificate to me. At that point, I have two options: - Download certificate - Download certificate chain Choose to download the certificate chain, and it will come with the public key of the CA Server that you need. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Sep 26, 3:38 am, zzgfz...@trashmail.net wrote: > Many thanks for your reply David. It makes sense in theory, however > could you please explain to me how I download the public key from the > CA server as I cannot find the option. > > Sorry to seem thick!!! > > > > > > >Actually, you have all of the pieces correct. The only thing you have > >to do is to install the public key of your CA server's signing key > >into the Trusted Root store of your Web Server. You can easily obtain > >this public key from the CA server by downloading the CER/PVK file > >containing the "complete trust chain" instead of just the CER file at > >the end. > > >Here's the quick explanation of what's going on: > >1. Your CA server has a web site which issues client certificates > >signed with the CA server's private key. > >2. You import this signed client certificate onto the web browser's > >machine, which allows it to be sent as client certificate for SSL > >authentication > >3. When the server gets this client certificate, it NEEDS to trust the > >public key which signs the client certificate -- this trust is what > >allows the server to believe that the client is who they say they are, > >which is the point of Client Certificate Authentication. > > >You've already done #1 and #2. Step #3 requires that you install the > >public key of the CA server's signing key into the Trusted Root store > >of your web server to complete the trust chain. > > >You don't need company certificates, nor chains, etc. Yes, they can > >establish the same missing trust as above but through a different > >route. I'm just telling you the most direct route which costs nothing > >because it is the cheapest, hassle-free way to correctly complete the > >trust that you need for SSL Client Certificate Authntication. > > >//David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > >//- Hide quoted text - > > - Show quoted text -
Awwwww I'm really not having much luck with this! I think I followed the instruction below but while I no longer get the red X, I get an error when I try and access the website (the standard Internet Explorer cannot display webpage). Going back a step, on the client machine, should the certificate be installed into the personal tab or the Other People tab? I think what I really need is a step-by-step idiots guide! Is such a thing available? [quoted text, click to view] >Actually, the public key is very easy to obtain.
> >Double click on the Client Certificate CER file that you've download. >Navigate to "Certification Path" tab and click on the root certificate >(it's going to have a red X through it since it's not trusted). View >that Certificate, then choose to Install Certificate. > >It'd be analogous to intentionally doing the installation. With >Microsoft Cert Server, I paste in the filename of the advanced request >that I generated and hit "next". I arrive at /certsrv/certfnsh.asp >which issues the client certificate to me. At that point, I have two >options: >- Download certificate >- Download certificate chain > >Choose to download the certificate chain, and it will come with the >public key of the CA Server that you need. > >
The client certificate needs to be installed into the personal tab.
The public key of the CA needs to be installed into the trusted root tab. Please clarify the exact error that results in the IE Friendly Error page. Either turn of IE's "Show Friendly HTTP Errors" option, or report the log entry on your web server which corresponds to the failing response. There are probably step-by-step guides available, but I haven't needed any of them so I don't know of any. Certificate stuff tends to be hard because everything needs to be perfect. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Sep 28, 8:27 am, zzgfz...@trashmail.net wrote:
> Awwwww I'm really not having much luck with this! I think I followed > the instruction below but while I no longer get the red X, I get an > error when I try and access the website (the standard Internet > Explorer cannot display webpage). > > Going back a step, on the client machine, should the certificate be > installed into the personal tab or the Other People tab? > > I think what I really need is a step-by-step idiots guide! Is such a > thing available? > > > > >Actually, the public key is very easy to obtain. > > >Double click on the Client Certificate CER file that you've download. > >Navigate to "Certification Path" tab and click on the root certificate > >(it's going to have a red X through it since it's not trusted). View > >that Certificate, then choose to Install Certificate. > > >It'd be analogous to intentionally doing the installation. With > >Microsoft Cert Server, I paste in the filename of the advanced request > >that I generated and hit "next". I arrive at /certsrv/certfnsh.asp > >which issues the client certificate to me. At that point, I have two > >options: > >- Download certificate > >- Download certificate chain > > >Choose to download the certificate chain, and it will come with the > >public key of the CA Server that you need.- Hide quoted text - > > - Show quoted text -
Thanks for your help so far David, I think I am almost there! I have managed to get it working, however now trying to reproduce it on another machine I am still having problems. I am finding importing the client certificate into the personal tab hit and miss, sometimes it goes in, but most of the time it doesnt. I cant work out why it does sometimes and not others. Is this to do with the way I have created the certificate, or the way I am importing it, or something else? Many thanks On Sat, 29 Sep 2007 06:16:44 -0000, David Wang <w3.4you@gmail.com> [quoted text, click to view] wrote:
>The client certificate needs to be installed into the personal tab. > >The public key of the CA needs to be installed into the trusted root >tab. > >Please clarify the exact error that results in the IE Friendly Error >page. Either turn of IE's "Show Friendly HTTP Errors" option, or >report the log entry on your web server which corresponds to the >failing response. > >There are probably step-by-step guides available, but I haven't needed >any of them so I don't know of any. > >Certificate stuff tends to be hard because everything needs to be >perfect. > > >//David >http://w3-4u.blogspot.com >http://blogs.msdn.com/David.Wang >//
Those are all factors. If you want something to be reproducible, then
you have to limit the variations. Doing things by hand can introduce human variations (i.e. errors). You can write simple automation code to consistently load and install certificates into the right store, so that problem can be eliminated. You can write XEnroll automation code against your CA to consistently create the certificates that you need, so that problem can also be eliminated //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Oct 2, 4:02 am, zzgfz...@trashmail.net wrote: > Thanks for your help so far David, I think I am almost there! I have > managed to get it working, however now trying to reproduce it on > another machine I am still having problems. > > I am finding importing the client certificate into the personal tab > hit and miss, sometimes it goes in, but most of the time it doesnt. I > cant work out why it does sometimes and not others. Is this to do > with the way I have created the certificate, or the way I am importing > it, or something else? > > Many thanks > > On Sat, 29 Sep 2007 06:16:44 -0000, David Wang <w3.4...@gmail.com> > wrote: > > > > >The client certificate needs to be installed into the personal tab. > > >The public key of the CA needs to be installed into the trusted root > >tab. > > >Please clarify the exact error that results in the IE Friendly Error > >page. Either turn of IE's "Show Friendly HTTP Errors" option, or > >report the log entry on your web server which corresponds to the > >failing response. > > >There are probably step-by-step guides available, but I haven't needed > >any of them so I don't know of any. > > >Certificate stuff tends to be hard because everything needs to be > >perfect. > > >//David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > >//- Hide quoted text - > > - Show quoted text -
but should it simply be a case of right clicking on the client
certificate and selecting install certificate and then selecting personal store (on the client machine)? On Tue, 02 Oct 2007 21:49:16 -0000, David Wang <w3.4you@gmail.com> [quoted text, click to view] wrote:
>Those are all factors. If you want something to be reproducible, then >you have to limit the variations. Doing things by hand can introduce >human variations (i.e. errors). > >You can write simple automation code to consistently load and install >certificates into the right store, so that problem can be eliminated. > >You can write XEnroll automation code against your CA to consistently >create the certificates that you need, so that problem can also be >eliminated > > >//David >http://w3-4u.blogspot.com >http://blogs.msdn.com/David.Wang >//
I've never installed it that way so I can't say.
I can only say that I've only used automation to install certificates, and it's never given me random results that you are having. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Oct 3, 1:45 am, zzgfz...@trashmail.net wrote: > but should it simply be a case of right clicking on the client > certificate and selecting install certificate and then selecting > personal store (on the client machine)? > > On Tue, 02 Oct 2007 21:49:16 -0000, David Wang <w3.4...@gmail.com> > wrote: > > > > >Those are all factors. If you want something to be reproducible, then > >you have to limit the variations. Doing things by hand can introduce > >human variations (i.e. errors). > > >You can write simple automation code to consistently load and install > >certificates into the right store, so that problem can be eliminated. > > >You can write XEnroll automation code against your CA to consistently > >create the certificates that you need, so that problem can also be > >eliminated > > >//David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > >//- Hide quoted text - > > - Show quoted text -
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |