Personal Cert - Is CTL used like I think it is?

Personal Cert - Is CTL used like I think it is?

am 07.02.2006 19:53:28 von frank

We have our own CA at our company (Windows 2000 service). Our IIS server (Win
2000) is set to use CTL (Cert Trust List) and I added our company CA cert to
the list. I have issued personal certs for our users from our CA, however
when they try to log into the SSL website, they choose the correct Personal
Cert issued from our CA, yet it tells them that "The page requires a valid
Client Cert". Am i doing something wrong here?

How can I make it so only users with a Personal Cert from our CA can log
into the website? I think i'm almost there, just need a little kick start. I
would think this is what CTL is used for no? If i do not use CTL option,
everything works just fine, but IIS allows anyone with a valid Cert to see
the website. For example they can have a valid cert from Verisign or Thawte
and still be allowed in. I just want it so users with a valid cert from OUR
CA allowed in. Please help! Thanks!

-Frank

RE: Personal Cert - Is CTL used like I think it is?

am 07.02.2006 20:49:02 von frank

To add to this issue.... I setup IIS on the CA and everything works the way I
want it to. Only the users with a personal cert from my CA is allowed (via
CTL). I don't remember what cert I used to add to the CTL, but I noticed that
when I view the CTL Cert, it says "You have a private key that corresponds to
this certificate" on the very bottom.

When I look at the CTL for the server that does not work (not the CA server)
it doesn't have that line "You have a private key that corresponds to this
cert." Is this what is causing the problem? Does the CA/IIS server have the
private key because the CA is installed on the same server? Is there a way to
export the CA Root private key and import into the IIS server? gaahh.. so
much confusion..

-Frank

"Frank" wrote:

> We have our own CA at our company (Windows 2000 service). Our IIS server (Win
> 2000) is set to use CTL (Cert Trust List) and I added our company CA cert to
> the list. I have issued personal certs for our users from our CA, however
> when they try to log into the SSL website, they choose the correct Personal
> Cert issued from our CA, yet it tells them that "The page requires a valid
> Client Cert". Am i doing something wrong here?
>
> How can I make it so only users with a Personal Cert from our CA can log
> into the website? I think i'm almost there, just need a little kick start. I
> would think this is what CTL is used for no? If i do not use CTL option,
> everything works just fine, but IIS allows anyone with a valid Cert to see
> the website. For example they can have a valid cert from Verisign or Thawte
> and still be allowed in. I just want it so users with a valid cert from OUR
> CA allowed in. Please help! Thanks!
>
> -Frank