Require only specific client certificates in IIS












2















I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.



I've set the SSL Settings to Require SSL and require client certificates. Looks good so far.
Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:




When the server prompts for a certificate, the request includes a list
of the certification authorities that the server trusts. The client
then compares this list to the list of certification authorities that
the client trusts and creates a list of the ones that match. Then, the
client compares that list to the client certificates it has and
determines which, if any, certificates have been issued by
certification authorities that both the client and the server trust.




Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.



What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?










share|improve this question























  • The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.

    – Brian
    Jan 14 '14 at 19:02






  • 2





    @Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?

    – Jeremy
    Jan 15 '14 at 20:55











  • @Jeremy did you ever find a solution to this problem?

    – ahsteele
    Jan 24 '17 at 20:31











  • @ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)

    – Jeremy
    Jan 24 '17 at 21:26













  • @Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.

    – ahsteele
    Jan 24 '17 at 22:13
















2















I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.



I've set the SSL Settings to Require SSL and require client certificates. Looks good so far.
Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:




When the server prompts for a certificate, the request includes a list
of the certification authorities that the server trusts. The client
then compares this list to the list of certification authorities that
the client trusts and creates a list of the ones that match. Then, the
client compares that list to the client certificates it has and
determines which, if any, certificates have been issued by
certification authorities that both the client and the server trust.




Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.



What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?










share|improve this question























  • The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.

    – Brian
    Jan 14 '14 at 19:02






  • 2





    @Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?

    – Jeremy
    Jan 15 '14 at 20:55











  • @Jeremy did you ever find a solution to this problem?

    – ahsteele
    Jan 24 '17 at 20:31











  • @ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)

    – Jeremy
    Jan 24 '17 at 21:26













  • @Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.

    – ahsteele
    Jan 24 '17 at 22:13














2












2








2


1






I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.



I've set the SSL Settings to Require SSL and require client certificates. Looks good so far.
Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:




When the server prompts for a certificate, the request includes a list
of the certification authorities that the server trusts. The client
then compares this list to the list of certification authorities that
the client trusts and creates a list of the ones that match. Then, the
client compares that list to the client certificates it has and
determines which, if any, certificates have been issued by
certification authorities that both the client and the server trust.




Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.



What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?










share|improve this question














I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.



I've set the SSL Settings to Require SSL and require client certificates. Looks good so far.
Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:




When the server prompts for a certificate, the request includes a list
of the certification authorities that the server trusts. The client
then compares this list to the list of certification authorities that
the client trusts and creates a list of the ones that match. Then, the
client compares that list to the client certificates it has and
determines which, if any, certificates have been issued by
certification authorities that both the client and the server trust.




Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.



What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?







iis iis-7.5 client-certificate wcf






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 14 '14 at 18:09









JeremyJeremy

3231312




3231312













  • The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.

    – Brian
    Jan 14 '14 at 19:02






  • 2





    @Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?

    – Jeremy
    Jan 15 '14 at 20:55











  • @Jeremy did you ever find a solution to this problem?

    – ahsteele
    Jan 24 '17 at 20:31











  • @ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)

    – Jeremy
    Jan 24 '17 at 21:26













  • @Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.

    – ahsteele
    Jan 24 '17 at 22:13



















  • The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.

    – Brian
    Jan 14 '14 at 19:02






  • 2





    @Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?

    – Jeremy
    Jan 15 '14 at 20:55











  • @Jeremy did you ever find a solution to this problem?

    – ahsteele
    Jan 24 '17 at 20:31











  • @ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)

    – Jeremy
    Jan 24 '17 at 21:26













  • @Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.

    – ahsteele
    Jan 24 '17 at 22:13

















The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.

– Brian
Jan 14 '14 at 19:02





The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.

– Brian
Jan 14 '14 at 19:02




2




2





@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?

– Jeremy
Jan 15 '14 at 20:55





@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?

– Jeremy
Jan 15 '14 at 20:55













@Jeremy did you ever find a solution to this problem?

– ahsteele
Jan 24 '17 at 20:31





@Jeremy did you ever find a solution to this problem?

– ahsteele
Jan 24 '17 at 20:31













@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)

– Jeremy
Jan 24 '17 at 21:26







@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)

– Jeremy
Jan 24 '17 at 21:26















@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.

– ahsteele
Jan 24 '17 at 22:13





@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.

– ahsteele
Jan 24 '17 at 22:13










1 Answer
1






active

oldest

votes


















-1














I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.



https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/






share|improve this answer
























  • Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

    – bertieb
    Jan 5 at 15:53











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f701634%2frequire-only-specific-client-certificates-in-iis%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









-1














I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.



https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/






share|improve this answer
























  • Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

    – bertieb
    Jan 5 at 15:53
















-1














I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.



https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/






share|improve this answer
























  • Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

    – bertieb
    Jan 5 at 15:53














-1












-1








-1







I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.



https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/






share|improve this answer













I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.



https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 5 at 15:05









Carlos GuevaraCarlos Guevara

1




1













  • Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

    – bertieb
    Jan 5 at 15:53



















  • Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

    – bertieb
    Jan 5 at 15:53

















Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

– bertieb
Jan 5 at 15:53





Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

– bertieb
Jan 5 at 15:53


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f701634%2frequire-only-specific-client-certificates-in-iis%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

8-я гвардейская общевойсковая армия

Алькесар