require client certificates SSL

Hi,

I made a certificate with SelfSSL and it is added to the site.
I see the option 'require client certificates', what does that mean? How can
it be initiated?

Fré

Re: require client certificates SSL

If you enable that option the users will have to authenticate with user's
certificate. This also means that you will have to deploy client certificate
to any users that will need to access your web server.

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> I made a certificate with SelfSSL and it is added to the site.
> I see the option 'require client certificates', what does that mean? How
> can
> it be initiated?
>
> Fré
>
>

Re: require client certificates SSL

And how do I have to make a client certificate?

Fré

"Miha Pihler [MVP]" wrote in message
news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
> If you enable that option the users will have to authenticate with user's
> certificate. This also means that you will have to deploy client
> certificate to any users that will need to access your web server.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> I made a certificate with SelfSSL and it is added to the site.
>> I see the option 'require client certificates', what does that mean? How
>> can
>> it be initiated?
>>
>> Fré
>>
>>
>
>

Re: require client certificates SSL

It depends. Would these users be part of your domain? If yes then the best
answer is by using Microsoft Enterprise CA server.

Here are some articles on how to set up Microsoft CA and how to deploy
certificates to users.

Best Practices for Implementing a Microsoft Windows Server2003 Public Key
Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx

Implementing and Administering Certificate Templates in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx

PKI Enhancements in Windows XP Professional and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx

Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx

Managing a Windows Server 2003 Public Key Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx

Advanced Certificate Enrollment and Management
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
> And how do I have to make a client certificate?
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>> If you enable that option the users will have to authenticate with user's
>> certificate. This also means that you will have to deploy client
>> certificate to any users that will need to access your web server.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>> Hi,
>>>
>>> I made a certificate with SelfSSL and it is added to the site.
>>> I see the option 'require client certificates', what does that mean? How
>>> can
>>> it be initiated?
>>>
>>> Fré
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

The users will not be part of the domain.


"Miha Pihler [MVP]" wrote in message
news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
> It depends. Would these users be part of your domain? If yes then the best
> answer is by using Microsoft Enterprise CA server.
>
> Here are some articles on how to set up Microsoft CA and how to deploy
> certificates to users.
>
> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
> Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>
> Implementing and Administering Certificate Templates in Windows Server
> 2003
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>
> PKI Enhancements in Windows XP Professional and Windows Server 2003
> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>
> Windows Server 2003 PKI Operations Guide
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>
> Managing a Windows Server 2003 Public Key Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>
> Advanced Certificate Enrollment and Management
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>> And how do I have to make a client certificate?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>> If you enable that option the users will have to authenticate with
>>> user's certificate. This also means that you will have to deploy client
>>> certificate to any users that will need to access your web server.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>> Hi,
>>>>
>>>> I made a certificate with SelfSSL and it is added to the site.
>>>> I see the option 'require client certificates', what does that mean?
>>>> How can
>>>> it be initiated?
>>>>
>>>> Fré
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Then you have a lot of work to do. If you want to set up your own CA server
(related articles are listed in my previous article) you have to think how
users (or you) will safely generate requests and then how you will transfer
certificates with private key to users (again in safe way). In the end you
will also have to think how to make these users trust you CA server.

This is something that you can avoid if you use commercial CA server like
Verisign or Thawte since users already trust these CA servers.

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
> The users will not be part of the domain.
>
>
> "Miha Pihler [MVP]" wrote in message
> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>> It depends. Would these users be part of your domain? If yes then the
>> best answer is by using Microsoft Enterprise CA server.
>>
>> Here are some articles on how to set up Microsoft CA and how to deploy
>> certificates to users.
>>
>> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
>> Infrastructure
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>
>> Implementing and Administering Certificate Templates in Windows Server
>> 2003
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>
>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>
>> Windows Server 2003 PKI Operations Guide
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>
>> Managing a Windows Server 2003 Public Key Infrastructure
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>
>> Advanced Certificate Enrollment and Management
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>> And how do I have to make a client certificate?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>> If you enable that option the users will have to authenticate with
>>>> user's certificate. This also means that you will have to deploy client
>>>> certificate to any users that will need to access your web server.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>> I see the option 'require client certificates', what does that mean?
>>>>> How can
>>>>> it be initiated?
>>>>>
>>>>> Fré
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

So it is impossible :-)

Fré

"Miha Pihler [MVP]" wrote in message
news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
> Then you have a lot of work to do. If you want to set up your own CA
> server (related articles are listed in my previous article) you have to
> think how users (or you) will safely generate requests and then how you
> will transfer certificates with private key to users (again in safe way).
> In the end you will also have to think how to make these users trust you
> CA server.
>
> This is something that you can avoid if you use commercial CA server like
> Verisign or Thawte since users already trust these CA servers.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>> The users will not be part of the domain.
>>
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>> It depends. Would these users be part of your domain? If yes then the
>>> best answer is by using Microsoft Enterprise CA server.
>>>
>>> Here are some articles on how to set up Microsoft CA and how to deploy
>>> certificates to users.
>>>
>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>> Key Infrastructure
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>
>>> Implementing and Administering Certificate Templates in Windows Server
>>> 2003
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>
>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>
>>> Windows Server 2003 PKI Operations Guide
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>
>>> Managing a Windows Server 2003 Public Key Infrastructure
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>
>>> Advanced Certificate Enrollment and Management
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>> And how do I have to make a client certificate?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>> If you enable that option the users will have to authenticate with
>>>>> user's certificate. This also means that you will have to deploy
>>>>> client certificate to any users that will need to access your web
>>>>> server.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>> Hi,
>>>>>>
>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>> I see the option 'require client certificates', what does that mean?
>>>>>> How can
>>>>>> it be initiated?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Or how long would you think this would take to set up?

Fré

"Frederik Vanderhaeghe" wrote in message
news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
> So it is impossible :-)
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>> Then you have a lot of work to do. If you want to set up your own CA
>> server (related articles are listed in my previous article) you have to
>> think how users (or you) will safely generate requests and then how you
>> will transfer certificates with private key to users (again in safe way).
>> In the end you will also have to think how to make these users trust you
>> CA server.
>>
>> This is something that you can avoid if you use commercial CA server like
>> Verisign or Thawte since users already trust these CA servers.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>> The users will not be part of the domain.
>>>
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>> It depends. Would these users be part of your domain? If yes then the
>>>> best answer is by using Microsoft Enterprise CA server.
>>>>
>>>> Here are some articles on how to set up Microsoft CA and how to deploy
>>>> certificates to users.
>>>>
>>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>>> Key Infrastructure
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>
>>>> Implementing and Administering Certificate Templates in Windows Server
>>>> 2003
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>
>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>
>>>> Windows Server 2003 PKI Operations Guide
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>
>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>
>>>> Advanced Certificate Enrollment and Management
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>> And how do I have to make a client certificate?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>> If you enable that option the users will have to authenticate with
>>>>>> user's certificate. This also means that you will have to deploy
>>>>>> client certificate to any users that will need to access your web
>>>>>> server.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>> I see the option 'require client certificates', what does that mean?
>>>>>>> How can
>>>>>>> it be initiated?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

I read that a client certificate can be made by exporting the certificate on
the server. If I give that certificate to the clients, by just e-mailing
them, and they install the certificate, will they trust my CA server then?
Or am I forgetting something?

Fré

"Frederik Vanderhaeghe" wrote in message
news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
> Or how long would you think this would take to set up?
>
> Fré
>
> "Frederik Vanderhaeghe" wrote in message
> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>> So it is impossible :-)
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>> Then you have a lot of work to do. If you want to set up your own CA
>>> server (related articles are listed in my previous article) you have to
>>> think how users (or you) will safely generate requests and then how you
>>> will transfer certificates with private key to users (again in safe
>>> way). In the end you will also have to think how to make these users
>>> trust you CA server.
>>>
>>> This is something that you can avoid if you use commercial CA server
>>> like Verisign or Thawte since users already trust these CA servers.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>> The users will not be part of the domain.
>>>>
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>> It depends. Would these users be part of your domain? If yes then the
>>>>> best answer is by using Microsoft Enterprise CA server.
>>>>>
>>>>> Here are some articles on how to set up Microsoft CA and how to deploy
>>>>> certificates to users.
>>>>>
>>>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>>>> Key Infrastructure
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>
>>>>> Implementing and Administering Certificate Templates in Windows Server
>>>>> 2003
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>
>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>
>>>>> Windows Server 2003 PKI Operations Guide
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>
>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>
>>>>> Advanced Certificate Enrollment and Management
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>> And how do I have to make a client certificate?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>> If you enable that option the users will have to authenticate with
>>>>>>> user's certificate. This also means that you will have to deploy
>>>>>>> client certificate to any users that will need to access your web
>>>>>>> server.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>> mean? How can
>>>>>>>> it be initiated?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Almost anything is possible ;-)

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
> So it is impossible :-)
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>> Then you have a lot of work to do. If you want to set up your own CA
>> server (related articles are listed in my previous article) you have to
>> think how users (or you) will safely generate requests and then how you
>> will transfer certificates with private key to users (again in safe way).
>> In the end you will also have to think how to make these users trust you
>> CA server.
>>
>> This is something that you can avoid if you use commercial CA server like
>> Verisign or Thawte since users already trust these CA servers.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>> The users will not be part of the domain.
>>>
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>> It depends. Would these users be part of your domain? If yes then the
>>>> best answer is by using Microsoft Enterprise CA server.
>>>>
>>>> Here are some articles on how to set up Microsoft CA and how to deploy
>>>> certificates to users.
>>>>
>>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>>> Key Infrastructure
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>
>>>> Implementing and Administering Certificate Templates in Windows Server
>>>> 2003
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>
>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>
>>>> Windows Server 2003 PKI Operations Guide
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>
>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>
>>>> Advanced Certificate Enrollment and Management
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>> And how do I have to make a client certificate?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>> If you enable that option the users will have to authenticate with
>>>>>> user's certificate. This also means that you will have to deploy
>>>>>> client certificate to any users that will need to access your web
>>>>>> server.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>> I see the option 'require client certificates', what does that mean?
>>>>>>> How can
>>>>>>> it be initiated?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

It depends how secure you want this to be. You might want to consider
deploying offline root CA and subordinate on-line or even Enterprise CA.
Project like this can take up to few months.

How many users?
What other purposes would this CA be used for.
How will you deploy user certificates
How and where will you publish CRL (Certificate Revocation List)
How long will certificate be valid for
How long will CA service certificates be valid for
How often will you publish CRL
What devices will use your CA

These are just a few questions that you need to answer.

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
> Or how long would you think this would take to set up?
>
> Fré
>
> "Frederik Vanderhaeghe" wrote in message
> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>> So it is impossible :-)
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>> Then you have a lot of work to do. If you want to set up your own CA
>>> server (related articles are listed in my previous article) you have to
>>> think how users (or you) will safely generate requests and then how you
>>> will transfer certificates with private key to users (again in safe
>>> way). In the end you will also have to think how to make these users
>>> trust you CA server.
>>>
>>> This is something that you can avoid if you use commercial CA server
>>> like Verisign or Thawte since users already trust these CA servers.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>> The users will not be part of the domain.
>>>>
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>> It depends. Would these users be part of your domain? If yes then the
>>>>> best answer is by using Microsoft Enterprise CA server.
>>>>>
>>>>> Here are some articles on how to set up Microsoft CA and how to deploy
>>>>> certificates to users.
>>>>>
>>>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>>>> Key Infrastructure
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>
>>>>> Implementing and Administering Certificate Templates in Windows Server
>>>>> 2003
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>
>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>
>>>>> Windows Server 2003 PKI Operations Guide
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>
>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>
>>>>> Advanced Certificate Enrollment and Management
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>> And how do I have to make a client certificate?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>> If you enable that option the users will have to authenticate with
>>>>>>> user's certificate. This also means that you will have to deploy
>>>>>>> client certificate to any users that will need to access your web
>>>>>>> server.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>> mean? How can
>>>>>>>> it be initiated?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

How secure would be that -- if you send clients certificates (with private
keys) in an e-mail. What if someone else gets that e-mail (it doesn't matter
how) or hold of those private keys?
Now in my opinion this would be less secure then telling users passwords
over the phone.

Regarding trusting your CA. Yes, you could do that. Now the question is will
users be allowed to import CA chain onto their computers? E.g. in some of my
environments users don't have that kind of permissions on their computers.
What will happen if user formats their computer? How much work do you expect
on supporting these users (it depends on number of users). You could talk to
administrators of these external users for some help. They could deploy CA
chain using group policy.


--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>I read that a client certificate can be made by exporting the certificate
>on the server. If I give that certificate to the clients, by just e-mailing
>them, and they install the certificate, will they trust my CA server then?
> Or am I forgetting something?
>
> Fré
>
> "Frederik Vanderhaeghe" wrote in message
> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>> Or how long would you think this would take to set up?
>>
>> Fré
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>> So it is impossible :-)
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>> Then you have a lot of work to do. If you want to set up your own CA
>>>> server (related articles are listed in my previous article) you have to
>>>> think how users (or you) will safely generate requests and then how you
>>>> will transfer certificates with private key to users (again in safe
>>>> way). In the end you will also have to think how to make these users
>>>> trust you CA server.
>>>>
>>>> This is something that you can avoid if you use commercial CA server
>>>> like Verisign or Thawte since users already trust these CA servers.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>> The users will not be part of the domain.
>>>>>
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>> It depends. Would these users be part of your domain? If yes then the
>>>>>> best answer is by using Microsoft Enterprise CA server.
>>>>>>
>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>> deploy certificates to users.
>>>>>>
>>>>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>>>>> Key Infrastructure
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>
>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>> Server 2003
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>
>>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>
>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>
>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>
>>>>>> Advanced Certificate Enrollment and Management
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>> And how do I have to make a client certificate?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>> If you enable that option the users will have to authenticate with
>>>>>>>> user's certificate. This also means that you will have to deploy
>>>>>>>> client certificate to any users that will need to access your web
>>>>>>>> server.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>> mean? How can
>>>>>>>>> it be initiated?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

But would it work if I just make a certificate with SelfSSL, then check
require secure channel (ssl) and require 128-bit encryption. Choose for
require client certificates.
Then in client certificate mapping say when x and/or y are in the client
certificate, then they are logged on as a user automatically?

Then I send them the exported certificate and they install it. When they
would then go to my site would they be logged on automatically or would they
have to chose a certificate?

Would this work?

Fré

"Miha Pihler [MVP]" wrote in message
news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
> How secure would be that -- if you send clients certificates (with private
> keys) in an e-mail. What if someone else gets that e-mail (it doesn't
> matter how) or hold of those private keys?
> Now in my opinion this would be less secure then telling users passwords
> over the phone.
>
> Regarding trusting your CA. Yes, you could do that. Now the question is
> will users be allowed to import CA chain onto their computers? E.g. in
> some of my environments users don't have that kind of permissions on their
> computers. What will happen if user formats their computer? How much work
> do you expect on supporting these users (it depends on number of users).
> You could talk to administrators of these external users for some help.
> They could deploy CA chain using group policy.
>
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>I read that a client certificate can be made by exporting the certificate
>>on the server. If I give that certificate to the clients, by just
>>e-mailing them, and they install the certificate, will they trust my CA
>>server then?
>> Or am I forgetting something?
>>
>> Fré
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>> Or how long would you think this would take to set up?
>>>
>>> Fré
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>> So it is impossible :-)
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>> Then you have a lot of work to do. If you want to set up your own CA
>>>>> server (related articles are listed in my previous article) you have
>>>>> to think how users (or you) will safely generate requests and then how
>>>>> you will transfer certificates with private key to users (again in
>>>>> safe way). In the end you will also have to think how to make these
>>>>> users trust you CA server.
>>>>>
>>>>> This is something that you can avoid if you use commercial CA server
>>>>> like Verisign or Thawte since users already trust these CA servers.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>> The users will not be part of the domain.
>>>>>>
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>> It depends. Would these users be part of your domain? If yes then
>>>>>>> the best answer is by using Microsoft Enterprise CA server.
>>>>>>>
>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>> deploy certificates to users.
>>>>>>>
>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>> Public Key Infrastructure
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>
>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>> Server 2003
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>
>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>
>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>
>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>
>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>> If you enable that option the users will have to authenticate with
>>>>>>>>> user's certificate. This also means that you will have to deploy
>>>>>>>>> client certificate to any users that will need to access your web
>>>>>>>>> server.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>>> mean? How can
>>>>>>>>>> it be initiated?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

As far as I understand your scenario -- this would not work. Certificates
have their intended purpose and in this case they would be different. For
the server the intended purpose is "Ensures the identity of a remote
computer" and for the client authentication to work it must be "Proves your
identity to a remote computer".

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
> But would it work if I just make a certificate with SelfSSL, then check
> require secure channel (ssl) and require 128-bit encryption. Choose for
> require client certificates.
> Then in client certificate mapping say when x and/or y are in the client
> certificate, then they are logged on as a user automatically?
>
> Then I send them the exported certificate and they install it. When they
> would then go to my site would they be logged on automatically or would
> they have to chose a certificate?
>
> Would this work?
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>> How secure would be that -- if you send clients certificates (with
>> private keys) in an e-mail. What if someone else gets that e-mail (it
>> doesn't matter how) or hold of those private keys?
>> Now in my opinion this would be less secure then telling users passwords
>> over the phone.
>>
>> Regarding trusting your CA. Yes, you could do that. Now the question is
>> will users be allowed to import CA chain onto their computers? E.g. in
>> some of my environments users don't have that kind of permissions on
>> their computers. What will happen if user formats their computer? How
>> much work do you expect on supporting these users (it depends on number
>> of users). You could talk to administrators of these external users for
>> some help. They could deploy CA chain using group policy.
>>
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>I read that a client certificate can be made by exporting the certificate
>>>on the server. If I give that certificate to the clients, by just
>>>e-mailing them, and they install the certificate, will they trust my CA
>>>server then?
>>> Or am I forgetting something?
>>>
>>> Fré
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>> Or how long would you think this would take to set up?
>>>>
>>>> Fré
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>> So it is impossible :-)
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>> Then you have a lot of work to do. If you want to set up your own CA
>>>>>> server (related articles are listed in my previous article) you have
>>>>>> to think how users (or you) will safely generate requests and then
>>>>>> how you will transfer certificates with private key to users (again
>>>>>> in safe way). In the end you will also have to think how to make
>>>>>> these users trust you CA server.
>>>>>>
>>>>>> This is something that you can avoid if you use commercial CA server
>>>>>> like Verisign or Thawte since users already trust these CA servers.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>> The users will not be part of the domain.
>>>>>>>
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>> It depends. Would these users be part of your domain? If yes then
>>>>>>>> the best answer is by using Microsoft Enterprise CA server.
>>>>>>>>
>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>> deploy certificates to users.
>>>>>>>>
>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>> Public Key Infrastructure
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>
>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>> Server 2003
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>
>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>
>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>
>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>
>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>> with user's certificate. This also means that you will have to
>>>>>>>>>> deploy client certificate to any users that will need to access
>>>>>>>>>> your web server.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>>>> mean? How can
>>>>>>>>>>> it be initiated?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

I need to have it working by tomorrow, can it work without VeriSign?
If it can't by tomorrow, what is the soonest I could get it working?

Fré

"Miha Pihler [MVP]" wrote in message
news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
> As far as I understand your scenario -- this would not work. Certificates
> have their intended purpose and in this case they would be different. For
> the server the intended purpose is "Ensures the identity of a remote
> computer" and for the client authentication to work it must be "Proves
> your identity to a remote computer".
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>> But would it work if I just make a certificate with SelfSSL, then check
>> require secure channel (ssl) and require 128-bit encryption. Choose for
>> require client certificates.
>> Then in client certificate mapping say when x and/or y are in the client
>> certificate, then they are logged on as a user automatically?
>>
>> Then I send them the exported certificate and they install it. When they
>> would then go to my site would they be logged on automatically or would
>> they have to chose a certificate?
>>
>> Would this work?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>> How secure would be that -- if you send clients certificates (with
>>> private keys) in an e-mail. What if someone else gets that e-mail (it
>>> doesn't matter how) or hold of those private keys?
>>> Now in my opinion this would be less secure then telling users passwords
>>> over the phone.
>>>
>>> Regarding trusting your CA. Yes, you could do that. Now the question is
>>> will users be allowed to import CA chain onto their computers? E.g. in
>>> some of my environments users don't have that kind of permissions on
>>> their computers. What will happen if user formats their computer? How
>>> much work do you expect on supporting these users (it depends on number
>>> of users). You could talk to administrators of these external users for
>>> some help. They could deploy CA chain using group policy.
>>>
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>I read that a client certificate can be made by exporting the
>>>>certificate on the server. If I give that certificate to the clients, by
>>>>just e-mailing them, and they install the certificate, will they trust
>>>>my CA server then?
>>>> Or am I forgetting something?
>>>>
>>>> Fré
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>> Or how long would you think this would take to set up?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>> So it is impossible :-)
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>> Then you have a lot of work to do. If you want to set up your own CA
>>>>>>> server (related articles are listed in my previous article) you have
>>>>>>> to think how users (or you) will safely generate requests and then
>>>>>>> how you will transfer certificates with private key to users (again
>>>>>>> in safe way). In the end you will also have to think how to make
>>>>>>> these users trust you CA server.
>>>>>>>
>>>>>>> This is something that you can avoid if you use commercial CA server
>>>>>>> like Verisign or Thawte since users already trust these CA servers.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>> The users will not be part of the domain.
>>>>>>>>
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> It depends. Would these users be part of your domain? If yes then
>>>>>>>>> the best answer is by using Microsoft Enterprise CA server.
>>>>>>>>>
>>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>>> deploy certificates to users.
>>>>>>>>>
>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>> Public Key Infrastructure
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>
>>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>>> Server 2003
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>
>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>> 2003
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>
>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>
>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>
>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>>> with user's certificate. This also means that you will have to
>>>>>>>>>>> deploy client certificate to any users that will need to access
>>>>>>>>>>> your web server.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>>>>> mean? How can
>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Yes, it can work without VeriSign, but you need two different types of
certificates. First one is for SSL protection of your server and this one
can be generated by SelfSSL. Second type of certificates that you need is
user certificate which can't be generated by SelfSSL, but can be issued by
any CA server (it can be your own CA server or Thawte or VeriSign or any
other CA server).

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>I need to have it working by tomorrow, can it work without VeriSign?
> If it can't by tomorrow, what is the soonest I could get it working?
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>> As far as I understand your scenario -- this would not work. Certificates
>> have their intended purpose and in this case they would be different. For
>> the server the intended purpose is "Ensures the identity of a remote
>> computer" and for the client authentication to work it must be "Proves
>> your identity to a remote computer".
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>> But would it work if I just make a certificate with SelfSSL, then check
>>> require secure channel (ssl) and require 128-bit encryption. Choose for
>>> require client certificates.
>>> Then in client certificate mapping say when x and/or y are in the client
>>> certificate, then they are logged on as a user automatically?
>>>
>>> Then I send them the exported certificate and they install it. When they
>>> would then go to my site would they be logged on automatically or would
>>> they have to chose a certificate?
>>>
>>> Would this work?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>> How secure would be that -- if you send clients certificates (with
>>>> private keys) in an e-mail. What if someone else gets that e-mail (it
>>>> doesn't matter how) or hold of those private keys?
>>>> Now in my opinion this would be less secure then telling users
>>>> passwords over the phone.
>>>>
>>>> Regarding trusting your CA. Yes, you could do that. Now the question is
>>>> will users be allowed to import CA chain onto their computers? E.g. in
>>>> some of my environments users don't have that kind of permissions on
>>>> their computers. What will happen if user formats their computer? How
>>>> much work do you expect on supporting these users (it depends on number
>>>> of users). You could talk to administrators of these external users for
>>>> some help. They could deploy CA chain using group policy.
>>>>
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>I read that a client certificate can be made by exporting the
>>>>>certificate on the server. If I give that certificate to the clients,
>>>>>by just e-mailing them, and they install the certificate, will they
>>>>>trust my CA server then?
>>>>> Or am I forgetting something?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>> Or how long would you think this would take to set up?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>> So it is impossible :-)
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>> Then you have a lot of work to do. If you want to set up your own
>>>>>>>> CA server (related articles are listed in my previous article) you
>>>>>>>> have to think how users (or you) will safely generate requests and
>>>>>>>> then how you will transfer certificates with private key to users
>>>>>>>> (again in safe way). In the end you will also have to think how to
>>>>>>>> make these users trust you CA server.
>>>>>>>>
>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>> server like Verisign or Thawte since users already trust these CA
>>>>>>>> servers.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> It depends. Would these users be part of your domain? If yes then
>>>>>>>>>> the best answer is by using Microsoft Enterprise CA server.
>>>>>>>>>>
>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>>>> deploy certificates to users.
>>>>>>>>>>
>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>
>>>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>>>> Server 2003
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>
>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>> 2003
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>
>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>
>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>
>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>>>> with user's certificate. This also means that you will have to
>>>>>>>>>>>> deploy client certificate to any users that will need to access
>>>>>>>>>>>> your web server.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>>>>>> mean? How can
>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Is the following method, the right one toe generate the user certificate?
- Go to internet explorer on the server
- choose for tools --> internet options
- go to tab 'content'
- click on 'certificates'
- go to tab 'trusted root certification authorities'
- go to the certificate
- choose for 'export'
- follow the wizard with default values

Then the file is located in the selected folder.

Then I would send this file to the user (just the file or is something else
needed?)

Then the user has to import the certificate in his 'Trusted root
certification authorities'

And then it would have to work?

Fré
"Miha Pihler [MVP]" wrote in message
news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
> Yes, it can work without VeriSign, but you need two different types of
> certificates. First one is for SSL protection of your server and this one
> can be generated by SelfSSL. Second type of certificates that you need is
> user certificate which can't be generated by SelfSSL, but can be issued by
> any CA server (it can be your own CA server or Thawte or VeriSign or any
> other CA server).
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>I need to have it working by tomorrow, can it work without VeriSign?
>> If it can't by tomorrow, what is the soonest I could get it working?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>> As far as I understand your scenario -- this would not work.
>>> Certificates have their intended purpose and in this case they would be
>>> different. For the server the intended purpose is "Ensures the identity
>>> of a remote computer" and for the client authentication to work it must
>>> be "Proves your identity to a remote computer".
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>> But would it work if I just make a certificate with SelfSSL, then check
>>>> require secure channel (ssl) and require 128-bit encryption. Choose for
>>>> require client certificates.
>>>> Then in client certificate mapping say when x and/or y are in the
>>>> client certificate, then they are logged on as a user automatically?
>>>>
>>>> Then I send them the exported certificate and they install it. When
>>>> they would then go to my site would they be logged on automatically or
>>>> would they have to chose a certificate?
>>>>
>>>> Would this work?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>> How secure would be that -- if you send clients certificates (with
>>>>> private keys) in an e-mail. What if someone else gets that e-mail (it
>>>>> doesn't matter how) or hold of those private keys?
>>>>> Now in my opinion this would be less secure then telling users
>>>>> passwords over the phone.
>>>>>
>>>>> Regarding trusting your CA. Yes, you could do that. Now the question
>>>>> is will users be allowed to import CA chain onto their computers? E.g.
>>>>> in some of my environments users don't have that kind of permissions
>>>>> on their computers. What will happen if user formats their computer?
>>>>> How much work do you expect on supporting these users (it depends on
>>>>> number of users). You could talk to administrators of these external
>>>>> users for some help. They could deploy CA chain using group policy.
>>>>>
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>I read that a client certificate can be made by exporting the
>>>>>>certificate on the server. If I give that certificate to the clients,
>>>>>>by just e-mailing them, and they install the certificate, will they
>>>>>>trust my CA server then?
>>>>>> Or am I forgetting something?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>> Or how long would you think this would take to set up?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>> So it is impossible :-)
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> Then you have a lot of work to do. If you want to set up your own
>>>>>>>>> CA server (related articles are listed in my previous article) you
>>>>>>>>> have to think how users (or you) will safely generate requests and
>>>>>>>>> then how you will transfer certificates with private key to users
>>>>>>>>> (again in safe way). In the end you will also have to think how to
>>>>>>>>> make these users trust you CA server.
>>>>>>>>>
>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>> server like Verisign or Thawte since users already trust these CA
>>>>>>>>> servers.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA server.
>>>>>>>>>>>
>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>>>>> deploy certificates to users.
>>>>>>>>>>>
>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>
>>>>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>>>>> Server 2003
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>
>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>>> 2003
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>
>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>
>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>
>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>>>>> with user's certificate. This also means that you will have to
>>>>>>>>>>>>> deploy client certificate to any users that will need to
>>>>>>>>>>>>> access your web server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

No. This would only make users trust CA server which certificate you just
exported. This would not allow users to authenticate against your IIS.

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
> Is the following method, the right one toe generate the user certificate?
> - Go to internet explorer on the server
> - choose for tools --> internet options
> - go to tab 'content'
> - click on 'certificates'
> - go to tab 'trusted root certification authorities'
> - go to the certificate
> - choose for 'export'
> - follow the wizard with default values
>
> Then the file is located in the selected folder.
>
> Then I would send this file to the user (just the file or is something
> else needed?)
>
> Then the user has to import the certificate in his 'Trusted root
> certification authorities'
>
> And then it would have to work?
>
> Fré
> "Miha Pihler [MVP]" wrote in message
> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>> Yes, it can work without VeriSign, but you need two different types of
>> certificates. First one is for SSL protection of your server and this one
>> can be generated by SelfSSL. Second type of certificates that you need is
>> user certificate which can't be generated by SelfSSL, but can be issued
>> by any CA server (it can be your own CA server or Thawte or VeriSign or
>> any other CA server).
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>I need to have it working by tomorrow, can it work without VeriSign?
>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>> As far as I understand your scenario -- this would not work.
>>>> Certificates have their intended purpose and in this case they would be
>>>> different. For the server the intended purpose is "Ensures the identity
>>>> of a remote computer" and for the client authentication to work it must
>>>> be "Proves your identity to a remote computer".
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>> Choose for require client certificates.
>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>> client certificate, then they are logged on as a user automatically?
>>>>>
>>>>> Then I send them the exported certificate and they install it. When
>>>>> they would then go to my site would they be logged on automatically or
>>>>> would they have to chose a certificate?
>>>>>
>>>>> Would this work?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>> private keys) in an e-mail. What if someone else gets that e-mail (it
>>>>>> doesn't matter how) or hold of those private keys?
>>>>>> Now in my opinion this would be less secure then telling users
>>>>>> passwords over the phone.
>>>>>>
>>>>>> Regarding trusting your CA. Yes, you could do that. Now the question
>>>>>> is will users be allowed to import CA chain onto their computers?
>>>>>> E.g. in some of my environments users don't have that kind of
>>>>>> permissions on their computers. What will happen if user formats
>>>>>> their computer? How much work do you expect on supporting these users
>>>>>> (it depends on number of users). You could talk to administrators of
>>>>>> these external users for some help. They could deploy CA chain using
>>>>>> group policy.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>certificate on the server. If I give that certificate to the clients,
>>>>>>>by just e-mailing them, and they install the certificate, will they
>>>>>>>trust my CA server then?
>>>>>>> Or am I forgetting something?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>> So it is impossible :-)
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> Then you have a lot of work to do. If you want to set up your own
>>>>>>>>>> CA server (related articles are listed in my previous article)
>>>>>>>>>> you have to think how users (or you) will safely generate
>>>>>>>>>> requests and then how you will transfer certificates with private
>>>>>>>>>> key to users (again in safe way). In the end you will also have
>>>>>>>>>> to think how to make these users trust you CA server.
>>>>>>>>>>
>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>> server like Verisign or Thawte since users already trust these CA
>>>>>>>>>> servers.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>> server.
>>>>>>>>>>>>
>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>>>>>> deploy certificates to users.
>>>>>>>>>>>>
>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>>>>>> Server 2003
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>>>> 2003
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>>>>>> with user's certificate. This also means that you will have
>>>>>>>>>>>>>> to deploy client certificate to any users that will need to
>>>>>>>>>>>>>> access your web server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Then what do I have to do???

Fré
"Miha Pihler [MVP]" wrote in message
news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
> No. This would only make users trust CA server which certificate you just
> exported. This would not allow users to authenticate against your IIS.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>> Is the following method, the right one toe generate the user certificate?
>> - Go to internet explorer on the server
>> - choose for tools --> internet options
>> - go to tab 'content'
>> - click on 'certificates'
>> - go to tab 'trusted root certification authorities'
>> - go to the certificate
>> - choose for 'export'
>> - follow the wizard with default values
>>
>> Then the file is located in the selected folder.
>>
>> Then I would send this file to the user (just the file or is something
>> else needed?)
>>
>> Then the user has to import the certificate in his 'Trusted root
>> certification authorities'
>>
>> And then it would have to work?
>>
>> Fré
>> "Miha Pihler [MVP]" wrote in message
>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>> Yes, it can work without VeriSign, but you need two different types of
>>> certificates. First one is for SSL protection of your server and this
>>> one can be generated by SelfSSL. Second type of certificates that you
>>> need is user certificate which can't be generated by SelfSSL, but can be
>>> issued by any CA server (it can be your own CA server or Thawte or
>>> VeriSign or any other CA server).
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>> As far as I understand your scenario -- this would not work.
>>>>> Certificates have their intended purpose and in this case they would
>>>>> be different. For the server the intended purpose is "Ensures the
>>>>> identity of a remote computer" and for the client authentication to
>>>>> work it must be "Proves your identity to a remote computer".
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>> Choose for require client certificates.
>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>> client certificate, then they are logged on as a user automatically?
>>>>>>
>>>>>> Then I send them the exported certificate and they install it. When
>>>>>> they would then go to my site would they be logged on automatically
>>>>>> or would they have to chose a certificate?
>>>>>>
>>>>>> Would this work?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>> passwords over the phone.
>>>>>>>
>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the question
>>>>>>> is will users be allowed to import CA chain onto their computers?
>>>>>>> E.g. in some of my environments users don't have that kind of
>>>>>>> permissions on their computers. What will happen if user formats
>>>>>>> their computer? How much work do you expect on supporting these
>>>>>>> users (it depends on number of users). You could talk to
>>>>>>> administrators of these external users for some help. They could
>>>>>>> deploy CA chain using group policy.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>will they trust my CA server then?
>>>>>>>> Or am I forgetting something?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>> server.
>>>>>>>>>>>
>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>> CA servers.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>> server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>>>>> 2003
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>> you will have to deploy client certificate to any users that
>>>>>>>>>>>>>>> will need to access your web server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Hi, from one of my previous posts...

You can set up your own CA server and issue client authentication
certficates on it. When doing this you have to think how users (or you) will
safely generate requests and then how you will transfer certificates with
private key to users (again in safe way). In the end you will also have to
think how to make these users trust you CA server.

How to set up your CA server. Here are important articles on the subject.

Best Practices for Implementing a Microsoft Windows Server2003 Public Key
Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx

Implementing and Administering Certificate Templates in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx

PKI Enhancements in Windows XP Professional and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx

Windows Server 2003 PKI Operations Guide
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx

Managing a Windows Server 2003 Public Key Infrastructure
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx

Advanced Certificate Enrollment and Management
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx

When you will think about setting up your own CA -- you will have to answer
quite a few questions... Here are some of them:

How many users?
What other purposes would this CA be used for.
How will you deploy user certificates
How and where will you publish CRL (Certificate Revocation List)
How long will certificate be valid for
How long will CA service certificates be valid for
How often will you publish CRL
What devices will use your CA
All this answers will impact your CA design.

--
Mike
Microsoft MVP - Windows Security



"Frederik Vanderhaeghe" wrote in message
news:eySNAZEdGHA.5048@TK2MSFTNGP04.phx.gbl...
> Then what do I have to do???
>
> Fré
> "Miha Pihler [MVP]" wrote in message
> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>> No. This would only make users trust CA server which certificate you just
>> exported. This would not allow users to authenticate against your IIS.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>> Is the following method, the right one toe generate the user
>>> certificate?
>>> - Go to internet explorer on the server
>>> - choose for tools --> internet options
>>> - go to tab 'content'
>>> - click on 'certificates'
>>> - go to tab 'trusted root certification authorities'
>>> - go to the certificate
>>> - choose for 'export'
>>> - follow the wizard with default values
>>>
>>> Then the file is located in the selected folder.
>>>
>>> Then I would send this file to the user (just the file or is something
>>> else needed?)
>>>
>>> Then the user has to import the certificate in his 'Trusted root
>>> certification authorities'
>>>
>>> And then it would have to work?
>>>
>>> Fré
>>> "Miha Pihler [MVP]" wrote in message
>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>> Yes, it can work without VeriSign, but you need two different types of
>>>> certificates. First one is for SSL protection of your server and this
>>>> one can be generated by SelfSSL. Second type of certificates that you
>>>> need is user certificate which can't be generated by SelfSSL, but can
>>>> be issued by any CA server (it can be your own CA server or Thawte or
>>>> VeriSign or any other CA server).
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>> As far as I understand your scenario -- this would not work.
>>>>>> Certificates have their intended purpose and in this case they would
>>>>>> be different. For the server the intended purpose is "Ensures the
>>>>>> identity of a remote computer" and for the client authentication to
>>>>>> work it must be "Proves your identity to a remote computer".
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>> Choose for require client certificates.
>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>> client certificate, then they are logged on as a user automatically?
>>>>>>>
>>>>>>> Then I send them the exported certificate and they install it. When
>>>>>>> they would then go to my site would they be logged on automatically
>>>>>>> or would they have to chose a certificate?
>>>>>>>
>>>>>>> Would this work?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>> passwords over the phone.
>>>>>>>>
>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>> administrators of these external users for some help. They could
>>>>>>>> deploy CA chain using group policy.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>>will they trust my CA server then?
>>>>>>>>> Or am I forgetting something?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>> server.
>>>>>>>>>>>>
>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>>> CA servers.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>>> you will have to deploy client certificate to any users
>>>>>>>>>>>>>>>> that will need to access your web server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

This would take to long, I'm not going to use SSL then. Thanks for all the
information Miha.

Fré


"Miha Pihler [MVP]" wrote in message
news:OJeq9AFdGHA.2188@TK2MSFTNGP04.phx.gbl...
> Hi, from one of my previous posts...
>
> You can set up your own CA server and issue client authentication
> certficates on it. When doing this you have to think how users (or you)
> will safely generate requests and then how you will transfer certificates
> with private key to users (again in safe way). In the end you will also
> have to think how to make these users trust you CA server.
>
> How to set up your CA server. Here are important articles on the subject.
>
> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
> Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>
> Implementing and Administering Certificate Templates in Windows Server
> 2003
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>
> PKI Enhancements in Windows XP Professional and Windows Server 2003
> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>
> Windows Server 2003 PKI Operations Guide
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>
> Managing a Windows Server 2003 Public Key Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>
> Advanced Certificate Enrollment and Management
> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>
> When you will think about setting up your own CA -- you will have to
> answer quite a few questions... Here are some of them:
>
> How many users?
> What other purposes would this CA be used for.
> How will you deploy user certificates
> How and where will you publish CRL (Certificate Revocation List)
> How long will certificate be valid for
> How long will CA service certificates be valid for
> How often will you publish CRL
> What devices will use your CA
> All this answers will impact your CA design.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
>
> "Frederik Vanderhaeghe" wrote in message
> news:eySNAZEdGHA.5048@TK2MSFTNGP04.phx.gbl...
>> Then what do I have to do???
>>
>> Fré
>> "Miha Pihler [MVP]" wrote in message
>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>> No. This would only make users trust CA server which certificate you
>>> just exported. This would not allow users to authenticate against your
>>> IIS.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>> Is the following method, the right one toe generate the user
>>>> certificate?
>>>> - Go to internet explorer on the server
>>>> - choose for tools --> internet options
>>>> - go to tab 'content'
>>>> - click on 'certificates'
>>>> - go to tab 'trusted root certification authorities'
>>>> - go to the certificate
>>>> - choose for 'export'
>>>> - follow the wizard with default values
>>>>
>>>> Then the file is located in the selected folder.
>>>>
>>>> Then I would send this file to the user (just the file or is something
>>>> else needed?)
>>>>
>>>> Then the user has to import the certificate in his 'Trusted root
>>>> certification authorities'
>>>>
>>>> And then it would have to work?
>>>>
>>>> Fré
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>> Yes, it can work without VeriSign, but you need two different types of
>>>>> certificates. First one is for SSL protection of your server and this
>>>>> one can be generated by SelfSSL. Second type of certificates that you
>>>>> need is user certificate which can't be generated by SelfSSL, but can
>>>>> be issued by any CA server (it can be your own CA server or Thawte or
>>>>> VeriSign or any other CA server).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>> Certificates have their intended purpose and in this case they would
>>>>>>> be different. For the server the intended purpose is "Ensures the
>>>>>>> identity of a remote computer" and for the client authentication to
>>>>>>> work it must be "Proves your identity to a remote computer".
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>>> Choose for require client certificates.
>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>> automatically?
>>>>>>>>
>>>>>>>> Then I send them the exported certificate and they install it. When
>>>>>>>> they would then go to my site would they be logged on automatically
>>>>>>>> or would they have to chose a certificate?
>>>>>>>>
>>>>>>>> Would this work?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>> passwords over the phone.
>>>>>>>>>
>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>>> administrators of these external users for some help. They could
>>>>>>>>> deploy CA chain using group policy.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>>>will they trust my CA server then?
>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>>> server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>>>> CA servers.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>>>> you will have to deploy client certificate to any users
>>>>>>>>>>>>>>>>> that will need to access your web server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Is it possible that the users only need the certificate and when they have
the certificate that then they are logged on anonymous?

Fré

"Miha Pihler [MVP]" wrote in message
news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
> No. This would only make users trust CA server which certificate you just
> exported. This would not allow users to authenticate against your IIS.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>> Is the following method, the right one toe generate the user certificate?
>> - Go to internet explorer on the server
>> - choose for tools --> internet options
>> - go to tab 'content'
>> - click on 'certificates'
>> - go to tab 'trusted root certification authorities'
>> - go to the certificate
>> - choose for 'export'
>> - follow the wizard with default values
>>
>> Then the file is located in the selected folder.
>>
>> Then I would send this file to the user (just the file or is something
>> else needed?)
>>
>> Then the user has to import the certificate in his 'Trusted root
>> certification authorities'
>>
>> And then it would have to work?
>>
>> Fré
>> "Miha Pihler [MVP]" wrote in message
>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>> Yes, it can work without VeriSign, but you need two different types of
>>> certificates. First one is for SSL protection of your server and this
>>> one can be generated by SelfSSL. Second type of certificates that you
>>> need is user certificate which can't be generated by SelfSSL, but can be
>>> issued by any CA server (it can be your own CA server or Thawte or
>>> VeriSign or any other CA server).
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>> As far as I understand your scenario -- this would not work.
>>>>> Certificates have their intended purpose and in this case they would
>>>>> be different. For the server the intended purpose is "Ensures the
>>>>> identity of a remote computer" and for the client authentication to
>>>>> work it must be "Proves your identity to a remote computer".
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>> Choose for require client certificates.
>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>> client certificate, then they are logged on as a user automatically?
>>>>>>
>>>>>> Then I send them the exported certificate and they install it. When
>>>>>> they would then go to my site would they be logged on automatically
>>>>>> or would they have to chose a certificate?
>>>>>>
>>>>>> Would this work?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>> passwords over the phone.
>>>>>>>
>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the question
>>>>>>> is will users be allowed to import CA chain onto their computers?
>>>>>>> E.g. in some of my environments users don't have that kind of
>>>>>>> permissions on their computers. What will happen if user formats
>>>>>>> their computer? How much work do you expect on supporting these
>>>>>>> users (it depends on number of users). You could talk to
>>>>>>> administrators of these external users for some help. They could
>>>>>>> deploy CA chain using group policy.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>will they trust my CA server then?
>>>>>>>> Or am I forgetting something?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>> server.
>>>>>>>>>>>
>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>> CA servers.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>> server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>>>>> 2003
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>> you will have to deploy client certificate to any users that
>>>>>>>>>>>>>>> will need to access your web server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

You should still use SSL. Maybe instead of using client certificates for
authentication you could use static usernames and password.
In this case SSL will encrypt the password and any other data sent between
client and server.

Later when you have time you can deploy them with client authentication
certificates.

--
Mike
Microsoft MVP - Windows Security


"Frederik Vanderhaeghe" wrote in message
news:e8YgvqMdGHA.1856@TK2MSFTNGP03.phx.gbl...
> This would take to long, I'm not going to use SSL then. Thanks for all the
> information Miha.
>
> Fré
>
>
> "Miha Pihler [MVP]" wrote in message
> news:OJeq9AFdGHA.2188@TK2MSFTNGP04.phx.gbl...
>> Hi, from one of my previous posts...
>>
>> You can set up your own CA server and issue client authentication
>> certficates on it. When doing this you have to think how users (or you)
>> will safely generate requests and then how you will transfer certificates
>> with private key to users (again in safe way). In the end you will also
>> have to think how to make these users trust you CA server.
>>
>> How to set up your CA server. Here are important articles on the subject.
>>
>> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
>> Infrastructure
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>
>> Implementing and Administering Certificate Templates in Windows Server
>> 2003
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>
>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>
>> Windows Server 2003 PKI Operations Guide
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>
>> Managing a Windows Server 2003 Public Key Infrastructure
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>
>> Advanced Certificate Enrollment and Management
>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>
>> When you will think about setting up your own CA -- you will have to
>> answer quite a few questions... Here are some of them:
>>
>> How many users?
>> What other purposes would this CA be used for.
>> How will you deploy user certificates
>> How and where will you publish CRL (Certificate Revocation List)
>> How long will certificate be valid for
>> How long will CA service certificates be valid for
>> How often will you publish CRL
>> What devices will use your CA
>> All this answers will impact your CA design.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>>
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:eySNAZEdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>> Then what do I have to do???
>>>
>>> Fré
>>> "Miha Pihler [MVP]" wrote in message
>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>> No. This would only make users trust CA server which certificate you
>>>> just exported. This would not allow users to authenticate against your
>>>> IIS.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>> Is the following method, the right one toe generate the user
>>>>> certificate?
>>>>> - Go to internet explorer on the server
>>>>> - choose for tools --> internet options
>>>>> - go to tab 'content'
>>>>> - click on 'certificates'
>>>>> - go to tab 'trusted root certification authorities'
>>>>> - go to the certificate
>>>>> - choose for 'export'
>>>>> - follow the wizard with default values
>>>>>
>>>>> Then the file is located in the selected folder.
>>>>>
>>>>> Then I would send this file to the user (just the file or is something
>>>>> else needed?)
>>>>>
>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>> certification authorities'
>>>>>
>>>>> And then it would have to work?
>>>>>
>>>>> Fré
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>> Yes, it can work without VeriSign, but you need two different types
>>>>>> of certificates. First one is for SSL protection of your server and
>>>>>> this one can be generated by SelfSSL. Second type of certificates
>>>>>> that you need is user certificate which can't be generated by
>>>>>> SelfSSL, but can be issued by any CA server (it can be your own CA
>>>>>> server or Thawte or VeriSign or any other CA server).
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>> would be different. For the server the intended purpose is "Ensures
>>>>>>>> the identity of a remote computer" and for the client
>>>>>>>> authentication to work it must be "Proves your identity to a remote
>>>>>>>> computer".
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>>>> Choose for require client certificates.
>>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>>> automatically?
>>>>>>>>>
>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>
>>>>>>>>> Would this work?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets that
>>>>>>>>>> e-mail (it doesn't matter how) or hold of those private keys?
>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>> passwords over the phone.
>>>>>>>>>>
>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>>>> administrators of these external users for some help. They could
>>>>>>>>>> deploy CA chain using group policy.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>>>> server like Verisign or Thawte since users already trust
>>>>>>>>>>>>>> these CA servers.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft Enterprise
>>>>>>>>>>>>>>>> CA server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

I don't really understand this. If they have the certificates -- why would
they logon anonymously?

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
> Is it possible that the users only need the certificate and when they have
> the certificate that then they are logged on anonymous?
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>> No. This would only make users trust CA server which certificate you just
>> exported. This would not allow users to authenticate against your IIS.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>> Is the following method, the right one toe generate the user
>>> certificate?
>>> - Go to internet explorer on the server
>>> - choose for tools --> internet options
>>> - go to tab 'content'
>>> - click on 'certificates'
>>> - go to tab 'trusted root certification authorities'
>>> - go to the certificate
>>> - choose for 'export'
>>> - follow the wizard with default values
>>>
>>> Then the file is located in the selected folder.
>>>
>>> Then I would send this file to the user (just the file or is something
>>> else needed?)
>>>
>>> Then the user has to import the certificate in his 'Trusted root
>>> certification authorities'
>>>
>>> And then it would have to work?
>>>
>>> Fré
>>> "Miha Pihler [MVP]" wrote in message
>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>> Yes, it can work without VeriSign, but you need two different types of
>>>> certificates. First one is for SSL protection of your server and this
>>>> one can be generated by SelfSSL. Second type of certificates that you
>>>> need is user certificate which can't be generated by SelfSSL, but can
>>>> be issued by any CA server (it can be your own CA server or Thawte or
>>>> VeriSign or any other CA server).
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>> As far as I understand your scenario -- this would not work.
>>>>>> Certificates have their intended purpose and in this case they would
>>>>>> be different. For the server the intended purpose is "Ensures the
>>>>>> identity of a remote computer" and for the client authentication to
>>>>>> work it must be "Proves your identity to a remote computer".
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>> Choose for require client certificates.
>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>> client certificate, then they are logged on as a user automatically?
>>>>>>>
>>>>>>> Then I send them the exported certificate and they install it. When
>>>>>>> they would then go to my site would they be logged on automatically
>>>>>>> or would they have to chose a certificate?
>>>>>>>
>>>>>>> Would this work?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>> passwords over the phone.
>>>>>>>>
>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>> administrators of these external users for some help. They could
>>>>>>>> deploy CA chain using group policy.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>>will they trust my CA server then?
>>>>>>>>> Or am I forgetting something?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>> server.
>>>>>>>>>>>>
>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>>> CA servers.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>>> you will have to deploy client certificate to any users
>>>>>>>>>>>>>>>> that will need to access your web server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

I read your documentation and I still don't know how users can identify
themselves to IIS when they have the certificate (I send it to them) and
then my partner said I had to ask you this.

Fré

"Miha Pihler [MVP]" wrote in message
news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>I don't really understand this. If they have the certificates -- why would
>they logon anonymously?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>> Is it possible that the users only need the certificate and when they
>> have the certificate that then they are logged on anonymous?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>> No. This would only make users trust CA server which certificate you
>>> just exported. This would not allow users to authenticate against your
>>> IIS.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>> Is the following method, the right one toe generate the user
>>>> certificate?
>>>> - Go to internet explorer on the server
>>>> - choose for tools --> internet options
>>>> - go to tab 'content'
>>>> - click on 'certificates'
>>>> - go to tab 'trusted root certification authorities'
>>>> - go to the certificate
>>>> - choose for 'export'
>>>> - follow the wizard with default values
>>>>
>>>> Then the file is located in the selected folder.
>>>>
>>>> Then I would send this file to the user (just the file or is something
>>>> else needed?)
>>>>
>>>> Then the user has to import the certificate in his 'Trusted root
>>>> certification authorities'
>>>>
>>>> And then it would have to work?
>>>>
>>>> Fré
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>> Yes, it can work without VeriSign, but you need two different types of
>>>>> certificates. First one is for SSL protection of your server and this
>>>>> one can be generated by SelfSSL. Second type of certificates that you
>>>>> need is user certificate which can't be generated by SelfSSL, but can
>>>>> be issued by any CA server (it can be your own CA server or Thawte or
>>>>> VeriSign or any other CA server).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>> Certificates have their intended purpose and in this case they would
>>>>>>> be different. For the server the intended purpose is "Ensures the
>>>>>>> identity of a remote computer" and for the client authentication to
>>>>>>> work it must be "Proves your identity to a remote computer".
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>>> Choose for require client certificates.
>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>> automatically?
>>>>>>>>
>>>>>>>> Then I send them the exported certificate and they install it. When
>>>>>>>> they would then go to my site would they be logged on automatically
>>>>>>>> or would they have to chose a certificate?
>>>>>>>>
>>>>>>>> Would this work?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>> passwords over the phone.
>>>>>>>>>
>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>>> administrators of these external users for some help. They could
>>>>>>>>> deploy CA chain using group policy.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>>>will they trust my CA server then?
>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>>> server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>>>> CA servers.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>>>> you will have to deploy client certificate to any users
>>>>>>>>>>>>>>>>> that will need to access your web server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Hi,

When you configure your IIS server with "Require user certificate" the
server will tell the browser which authentication methods the web server
supports. Now the browser will display a list of certificates that are
available for client authentication.

List would look something like this:
http://freeweb.siol.net/mpihler/user_cert.jpg

If client does not have any certificates that would enable him/her logon to
the web server, browser will either display empty list or show the HTTP
Error 403.7 - Forbidden: SSL client certificate is required depending on the
browser or browser configuration.

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>I read your documentation and I still don't know how users can identify
>themselves to IIS when they have the certificate (I send it to them) and
>then my partner said I had to ask you this.
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>I don't really understand this. If they have the certificates -- why would
>>they logon anonymously?
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>> Is it possible that the users only need the certificate and when they
>>> have the certificate that then they are logged on anonymous?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>> No. This would only make users trust CA server which certificate you
>>>> just exported. This would not allow users to authenticate against your
>>>> IIS.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>> Is the following method, the right one toe generate the user
>>>>> certificate?
>>>>> - Go to internet explorer on the server
>>>>> - choose for tools --> internet options
>>>>> - go to tab 'content'
>>>>> - click on 'certificates'
>>>>> - go to tab 'trusted root certification authorities'
>>>>> - go to the certificate
>>>>> - choose for 'export'
>>>>> - follow the wizard with default values
>>>>>
>>>>> Then the file is located in the selected folder.
>>>>>
>>>>> Then I would send this file to the user (just the file or is something
>>>>> else needed?)
>>>>>
>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>> certification authorities'
>>>>>
>>>>> And then it would have to work?
>>>>>
>>>>> Fré
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>> Yes, it can work without VeriSign, but you need two different types
>>>>>> of certificates. First one is for SSL protection of your server and
>>>>>> this one can be generated by SelfSSL. Second type of certificates
>>>>>> that you need is user certificate which can't be generated by
>>>>>> SelfSSL, but can be issued by any CA server (it can be your own CA
>>>>>> server or Thawte or VeriSign or any other CA server).
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>> would be different. For the server the intended purpose is "Ensures
>>>>>>>> the identity of a remote computer" and for the client
>>>>>>>> authentication to work it must be "Proves your identity to a remote
>>>>>>>> computer".
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>>>> Choose for require client certificates.
>>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>>> automatically?
>>>>>>>>>
>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>
>>>>>>>>> Would this work?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets that
>>>>>>>>>> e-mail (it doesn't matter how) or hold of those private keys?
>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>> passwords over the phone.
>>>>>>>>>>
>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>>>> administrators of these external users for some help. They could
>>>>>>>>>> deploy CA chain using group policy.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>>>> server like Verisign or Thawte since users already trust
>>>>>>>>>>>>>> these CA servers.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft Enterprise
>>>>>>>>>>>>>>>> CA server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Don't you mean that when the list is empty that the client is disabled to
logon to de web server?

I get an empty list, but the certificate is installed on the client pc.

Fré
"Miha Pihler [MVP]" wrote in message
news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> When you configure your IIS server with "Require user certificate" the
> server will tell the browser which authentication methods the web server
> supports. Now the browser will display a list of certificates that are
> available for client authentication.
>
> List would look something like this:
> http://freeweb.siol.net/mpihler/user_cert.jpg
>
> If client does not have any certificates that would enable him/her logon
> to the web server, browser will either display empty list or show the HTTP
> Error 403.7 - Forbidden: SSL client certificate is required depending on
> the browser or browser configuration.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>I read your documentation and I still don't know how users can identify
>>themselves to IIS when they have the certificate (I send it to them) and
>>then my partner said I had to ask you this.
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>I don't really understand this. If they have the certificates -- why
>>>would they logon anonymously?
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>> Is it possible that the users only need the certificate and when they
>>>> have the certificate that then they are logged on anonymous?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>> No. This would only make users trust CA server which certificate you
>>>>> just exported. This would not allow users to authenticate against your
>>>>> IIS.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>> Is the following method, the right one toe generate the user
>>>>>> certificate?
>>>>>> - Go to internet explorer on the server
>>>>>> - choose for tools --> internet options
>>>>>> - go to tab 'content'
>>>>>> - click on 'certificates'
>>>>>> - go to tab 'trusted root certification authorities'
>>>>>> - go to the certificate
>>>>>> - choose for 'export'
>>>>>> - follow the wizard with default values
>>>>>>
>>>>>> Then the file is located in the selected folder.
>>>>>>
>>>>>> Then I would send this file to the user (just the file or is
>>>>>> something else needed?)
>>>>>>
>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>> certification authorities'
>>>>>>
>>>>>> And then it would have to work?
>>>>>>
>>>>>> Fré
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>> Yes, it can work without VeriSign, but you need two different types
>>>>>>> of certificates. First one is for SSL protection of your server and
>>>>>>> this one can be generated by SelfSSL. Second type of certificates
>>>>>>> that you need is user certificate which can't be generated by
>>>>>>> SelfSSL, but can be issued by any CA server (it can be your own CA
>>>>>>> server or Thawte or VeriSign or any other CA server).
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>> working?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>> remote computer".
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>>>> check require secure channel (ssl) and require 128-bit
>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>>>> automatically?
>>>>>>>>>>
>>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>>
>>>>>>>>>> Would this work?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets that
>>>>>>>>>>> e-mail (it doesn't matter how) or hold of those private keys?
>>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>>> passwords over the phone.
>>>>>>>>>>>
>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>>>> formats their computer? How much work do you expect on
>>>>>>>>>>> supporting these users (it depends on number of users). You
>>>>>>>>>>> could talk to administrators of these external users for some
>>>>>>>>>>> help. They could deploy CA chain using group policy.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>> previous article) you have to think how users (or you) will
>>>>>>>>>>>>>>> safely generate requests and then how you will transfer
>>>>>>>>>>>>>>> certificates with private key to users (again in safe way).
>>>>>>>>>>>>>>> In the end you will also have to think how to make these
>>>>>>>>>>>>>>> users trust you CA server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This is something that you can avoid if you use commercial
>>>>>>>>>>>>>>> CA server like Verisign or Thawte since users already trust
>>>>>>>>>>>>>>> these CA servers.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft Enterprise
>>>>>>>>>>>>>>>>> CA server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to
>>>>>>>>>>>>>>>>>>>> the site.
>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Hi,

Yes -- absolutely. Client will not be able to access the server if he/she
doesn't have a certificate.

You say that you have the certificate. Which one? Does it allow client logon
(Does it have intending purpose "Proves your identity to a remote computer".
Do you have the private key for this certificate? Where is stored this
certificate on your computer (in which certificate store).

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
> Don't you mean that when the list is empty that the client is disabled to
> logon to de web server?
>
> I get an empty list, but the certificate is installed on the client pc.
>
> Fré
> "Miha Pihler [MVP]" wrote in message
> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>> Hi,
>>
>> When you configure your IIS server with "Require user certificate" the
>> server will tell the browser which authentication methods the web server
>> supports. Now the browser will display a list of certificates that are
>> available for client authentication.
>>
>> List would look something like this:
>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>
>> If client does not have any certificates that would enable him/her logon
>> to the web server, browser will either display empty list or show the
>> HTTP Error 403.7 - Forbidden: SSL client certificate is required
>> depending on the browser or browser configuration.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>I read your documentation and I still don't know how users can identify
>>>themselves to IIS when they have the certificate (I send it to them) and
>>>then my partner said I had to ask you this.
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>I don't really understand this. If they have the certificates -- why
>>>>would they logon anonymously?
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>> Is it possible that the users only need the certificate and when they
>>>>> have the certificate that then they are logged on anonymous?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>> No. This would only make users trust CA server which certificate you
>>>>>> just exported. This would not allow users to authenticate against
>>>>>> your IIS.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>> Is the following method, the right one toe generate the user
>>>>>>> certificate?
>>>>>>> - Go to internet explorer on the server
>>>>>>> - choose for tools --> internet options
>>>>>>> - go to tab 'content'
>>>>>>> - click on 'certificates'
>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>> - go to the certificate
>>>>>>> - choose for 'export'
>>>>>>> - follow the wizard with default values
>>>>>>>
>>>>>>> Then the file is located in the selected folder.
>>>>>>>
>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>> something else needed?)
>>>>>>>
>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>> certification authorities'
>>>>>>>
>>>>>>> And then it would have to work?
>>>>>>>
>>>>>>> Fré
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>> Yes, it can work without VeriSign, but you need two different types
>>>>>>>> of certificates. First one is for SSL protection of your server and
>>>>>>>> this one can be generated by SelfSSL. Second type of certificates
>>>>>>>> that you need is user certificate which can't be generated by
>>>>>>>> SelfSSL, but can be issued by any CA server (it can be your own CA
>>>>>>>> server or Thawte or VeriSign or any other CA server).
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>VeriSign?
>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>> working?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>>> remote computer".
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>> Then in client certificate mapping say when x and/or y are in
>>>>>>>>>>> the client certificate, then they are logged on as a user
>>>>>>>>>>> automatically?
>>>>>>>>>>>
>>>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>>>
>>>>>>>>>>> Would this work?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets
>>>>>>>>>>>> that e-mail (it doesn't matter how) or hold of those private
>>>>>>>>>>>> keys?
>>>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>>>> passwords over the phone.
>>>>>>>>>>>>
>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>>>>> computers? E.g. in some of my environments users don't have
>>>>>>>>>>>> that kind of permissions on their computers. What will happen
>>>>>>>>>>>> if user formats their computer? How much work do you expect on
>>>>>>>>>>>> supporting these users (it depends on number of users). You
>>>>>>>>>>>> could talk to administrators of these external users for some
>>>>>>>>>>>> help. They could deploy CA chain using group policy.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>> message news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>>> previous article) you have to think how users (or you) will
>>>>>>>>>>>>>>>> safely generate requests and then how you will transfer
>>>>>>>>>>>>>>>> certificates with private key to users (again in safe way).
>>>>>>>>>>>>>>>> In the end you will also have to think how to make these
>>>>>>>>>>>>>>>> users trust you CA server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This is something that you can avoid if you use commercial
>>>>>>>>>>>>>>>> CA server like Verisign or Thawte since users already trust
>>>>>>>>>>>>>>>> these CA servers.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft Enterprise
>>>>>>>>>>>>>>>>>> CA server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to
>>>>>>>>>>>>>>>>>>>>> the site.
>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Hi,

The certificate is intended for the following purpose(s):
- Ensures the identity of a remote computer
- All issuance policies

So it doesnt have the intending purpose "Proves your identity to a remote
computer". Is there an option in SelfSSL that I have to use so that it does
have the intending purpose, or what can I do so that it has it?

Fré

"Miha Pihler [MVP]" wrote in message
news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
> Hi,
>
> Yes -- absolutely. Client will not be able to access the server if he/she
> doesn't have a certificate.
>
> You say that you have the certificate. Which one? Does it allow client
> logon (Does it have intending purpose "Proves your identity to a remote
> computer". Do you have the private key for this certificate? Where is
> stored this certificate on your computer (in which certificate store).
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>> Don't you mean that when the list is empty that the client is disabled to
>> logon to de web server?
>>
>> I get an empty list, but the certificate is installed on the client pc.
>>
>> Fré
>> "Miha Pihler [MVP]" wrote in message
>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>> Hi,
>>>
>>> When you configure your IIS server with "Require user certificate" the
>>> server will tell the browser which authentication methods the web server
>>> supports. Now the browser will display a list of certificates that are
>>> available for client authentication.
>>>
>>> List would look something like this:
>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>
>>> If client does not have any certificates that would enable him/her logon
>>> to the web server, browser will either display empty list or show the
>>> HTTP Error 403.7 - Forbidden: SSL client certificate is required
>>> depending on the browser or browser configuration.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>I read your documentation and I still don't know how users can identify
>>>>themselves to IIS when they have the certificate (I send it to them) and
>>>>then my partner said I had to ask you this.
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>I don't really understand this. If they have the certificates -- why
>>>>>would they logon anonymously?
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>> Is it possible that the users only need the certificate and when they
>>>>>> have the certificate that then they are logged on anonymous?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>> No. This would only make users trust CA server which certificate you
>>>>>>> just exported. This would not allow users to authenticate against
>>>>>>> your IIS.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>> certificate?
>>>>>>>> - Go to internet explorer on the server
>>>>>>>> - choose for tools --> internet options
>>>>>>>> - go to tab 'content'
>>>>>>>> - click on 'certificates'
>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>> - go to the certificate
>>>>>>>> - choose for 'export'
>>>>>>>> - follow the wizard with default values
>>>>>>>>
>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>
>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>> something else needed?)
>>>>>>>>
>>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>>> certification authorities'
>>>>>>>>
>>>>>>>> And then it would have to work?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>> server and this one can be generated by SelfSSL. Second type of
>>>>>>>>> certificates that you need is user certificate which can't be
>>>>>>>>> generated by SelfSSL, but can be issued by any CA server (it can
>>>>>>>>> be your own CA server or Thawte or VeriSign or any other CA
>>>>>>>>> server).
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>VeriSign?
>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>> working?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>>>> remote computer".
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are in
>>>>>>>>>>>> the client certificate, then they are logged on as a user
>>>>>>>>>>>> automatically?
>>>>>>>>>>>>
>>>>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>>>>
>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets
>>>>>>>>>>>>> that e-mail (it doesn't matter how) or hold of those private
>>>>>>>>>>>>> keys?
>>>>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>>>>> passwords over the phone.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>>> question is will users be allowed to import CA chain onto
>>>>>>>>>>>>> their computers? E.g. in some of my environments users don't
>>>>>>>>>>>>> have that kind of permissions on their computers. What will
>>>>>>>>>>>>> happen if user formats their computer? How much work do you
>>>>>>>>>>>>> expect on supporting these users (it depends on number of
>>>>>>>>>>>>> users). You could talk to administrators of these external
>>>>>>>>>>>>> users for some help. They could deploy CA chain using group
>>>>>>>>>>>>> policy.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>> message news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>>>> previous article) you have to think how users (or you)
>>>>>>>>>>>>>>>>> will safely generate requests and then how you will
>>>>>>>>>>>>>>>>> transfer certificates with private key to users (again in
>>>>>>>>>>>>>>>>> safe way). In the end you will also have to think how to
>>>>>>>>>>>>>>>>> make these users trust you CA server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This is something that you can avoid if you use commercial
>>>>>>>>>>>>>>>>> CA server like Verisign or Thawte since users already
>>>>>>>>>>>>>>>>> trust these CA servers.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft
>>>>>>>>>>>>>>>>>>> Enterprise CA server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to
>>>>>>>>>>>>>>>>>>>>>> the site.
>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

As mentioned in my previous posts, SelfSSL will not allow you to issue
client authentication certificate (certificate with purpose "Proves your
identity to a remote computer"). Is you need certificates with purpose of
"Proves your identity to a remote
computer" you will either have to:
- set up CA server
- buy the client authentication certificate (certificate with purpose
"Proves your identity to a remote
computer")

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> The certificate is intended for the following purpose(s):
> - Ensures the identity of a remote computer
> - All issuance policies
>
> So it doesnt have the intending purpose "Proves your identity to a remote
> computer". Is there an option in SelfSSL that I have to use so that it
> does have the intending purpose, or what can I do so that it has it?
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>> Hi,
>>
>> Yes -- absolutely. Client will not be able to access the server if he/she
>> doesn't have a certificate.
>>
>> You say that you have the certificate. Which one? Does it allow client
>> logon (Does it have intending purpose "Proves your identity to a remote
>> computer". Do you have the private key for this certificate? Where is
>> stored this certificate on your computer (in which certificate store).
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>> Don't you mean that when the list is empty that the client is disabled
>>> to logon to de web server?
>>>
>>> I get an empty list, but the certificate is installed on the client pc.
>>>
>>> Fré
>>> "Miha Pihler [MVP]" wrote in message
>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> When you configure your IIS server with "Require user certificate" the
>>>> server will tell the browser which authentication methods the web
>>>> server supports. Now the browser will display a list of certificates
>>>> that are available for client authentication.
>>>>
>>>> List would look something like this:
>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>
>>>> If client does not have any certificates that would enable him/her
>>>> logon to the web server, browser will either display empty list or show
>>>> the HTTP Error 403.7 - Forbidden: SSL client certificate is required
>>>> depending on the browser or browser configuration.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>I read your documentation and I still don't know how users can identify
>>>>>themselves to IIS when they have the certificate (I send it to them)
>>>>>and then my partner said I had to ask you this.
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>I don't really understand this. If they have the certificates -- why
>>>>>>would they logon anonymously?
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>> against your IIS.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>> certificate?
>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>> - choose for tools --> internet options
>>>>>>>>> - go to tab 'content'
>>>>>>>>> - click on 'certificates'
>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>> - go to the certificate
>>>>>>>>> - choose for 'export'
>>>>>>>>> - follow the wizard with default values
>>>>>>>>>
>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>
>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>> something else needed?)
>>>>>>>>>
>>>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>>>> certification authorities'
>>>>>>>>>
>>>>>>>>> And then it would have to work?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>> server and this one can be generated by SelfSSL. Second type of
>>>>>>>>>> certificates that you need is user certificate which can't be
>>>>>>>>>> generated by SelfSSL, but can be issued by any CA server (it can
>>>>>>>>>> be your own CA server or Thawte or VeriSign or any other CA
>>>>>>>>>> server).
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>VeriSign?
>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>> working?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>>>>> remote computer".
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are in
>>>>>>>>>>>>> the client certificate, then they are logged on as a user
>>>>>>>>>>>>> automatically?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets
>>>>>>>>>>>>>> that e-mail (it doesn't matter how) or hold of those private
>>>>>>>>>>>>>> keys?
>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>>>> question is will users be allowed to import CA chain onto
>>>>>>>>>>>>>> their computers? E.g. in some of my environments users don't
>>>>>>>>>>>>>> have that kind of permissions on their computers. What will
>>>>>>>>>>>>>> happen if user formats their computer? How much work do you
>>>>>>>>>>>>>> expect on supporting these users (it depends on number of
>>>>>>>>>>>>>> users). You could talk to administrators of these external
>>>>>>>>>>>>>> users for some help. They could deploy CA chain using group
>>>>>>>>>>>>>> policy.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>> message news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>>>>> previous article) you have to think how users (or you)
>>>>>>>>>>>>>>>>>> will safely generate requests and then how you will
>>>>>>>>>>>>>>>>>> transfer certificates with private key to users (again in
>>>>>>>>>>>>>>>>>> safe way). In the end you will also have to think how to
>>>>>>>>>>>>>>>>>> make these users trust you CA server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since users
>>>>>>>>>>>>>>>>>> already trust these CA servers.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain?
>>>>>>>>>>>>>>>>>>>> If yes then the best answer is by using Microsoft
>>>>>>>>>>>>>>>>>>>> Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to
>>>>>>>>>>>>>>>>>>>>>> any users that will need to access your web server.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to
>>>>>>>>>>>>>>>>>>>>>>> the site.
>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Hi,

It worked!

But when it worked it were 2 different webistes on 1 IIS. The second website
should need to be in the first (Default Web Site), so I made a virtual
directory under it. Now I set again the settings for SSL, made a new
certificate, but my choose a certificate list is empty.

Fré

"Miha Pihler [MVP]" wrote in message
news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
> As mentioned in my previous posts, SelfSSL will not allow you to issue
> client authentication certificate (certificate with purpose "Proves your
> identity to a remote computer"). Is you need certificates with purpose of
> "Proves your identity to a remote
> computer" you will either have to:
> - set up CA server
> - buy the client authentication certificate (certificate with purpose
> "Proves your identity to a remote
> computer")
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>> Hi,
>>
>> The certificate is intended for the following purpose(s):
>> - Ensures the identity of a remote computer
>> - All issuance policies
>>
>> So it doesnt have the intending purpose "Proves your identity to a remote
>> computer". Is there an option in SelfSSL that I have to use so that it
>> does have the intending purpose, or what can I do so that it has it?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>> Hi,
>>>
>>> Yes -- absolutely. Client will not be able to access the server if
>>> he/she doesn't have a certificate.
>>>
>>> You say that you have the certificate. Which one? Does it allow client
>>> logon (Does it have intending purpose "Proves your identity to a remote
>>> computer". Do you have the private key for this certificate? Where is
>>> stored this certificate on your computer (in which certificate store).
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>> Don't you mean that when the list is empty that the client is disabled
>>>> to logon to de web server?
>>>>
>>>> I get an empty list, but the certificate is installed on the client pc.
>>>>
>>>> Fré
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> When you configure your IIS server with "Require user certificate" the
>>>>> server will tell the browser which authentication methods the web
>>>>> server supports. Now the browser will display a list of certificates
>>>>> that are available for client authentication.
>>>>>
>>>>> List would look something like this:
>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>
>>>>> If client does not have any certificates that would enable him/her
>>>>> logon to the web server, browser will either display empty list or
>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>> required depending on the browser or browser configuration.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>I read your documentation and I still don't know how users can
>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>I don't really understand this. If they have the certificates -- why
>>>>>>>would they logon anonymously?
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>> against your IIS.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>> certificate?
>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>> - go to tab 'content'
>>>>>>>>>> - click on 'certificates'
>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>> - go to the certificate
>>>>>>>>>> - choose for 'export'
>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>
>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>
>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>> something else needed?)
>>>>>>>>>>
>>>>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>>>>> certification authorities'
>>>>>>>>>>
>>>>>>>>>> And then it would have to work?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type of
>>>>>>>>>>> certificates that you need is user certificate which can't be
>>>>>>>>>>> generated by SelfSSL, but can be issued by any CA server (it can
>>>>>>>>>>> be your own CA server or Thawte or VeriSign or any other CA
>>>>>>>>>>> server).
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>> working?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>>>>>> remote computer".
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are in
>>>>>>>>>>>>>> the client certificate, then they are logged on as a user
>>>>>>>>>>>>>> automatically?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets
>>>>>>>>>>>>>>> that e-mail (it doesn't matter how) or hold of those private
>>>>>>>>>>>>>>> keys?
>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>>>>> question is will users be allowed to import CA chain onto
>>>>>>>>>>>>>>> their computers? E.g. in some of my environments users don't
>>>>>>>>>>>>>>> have that kind of permissions on their computers. What will
>>>>>>>>>>>>>>> happen if user formats their computer? How much work do you
>>>>>>>>>>>>>>> expect on supporting these users (it depends on number of
>>>>>>>>>>>>>>> users). You could talk to administrators of these external
>>>>>>>>>>>>>>> users for some help. They could deploy CA chain using group
>>>>>>>>>>>>>>> policy.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate to
>>>>>>>>>>>>>>>>the clients, by just e-mailing them, and they install the
>>>>>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>> message news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>>>>>> previous article) you have to think how users (or you)
>>>>>>>>>>>>>>>>>>> will safely generate requests and then how you will
>>>>>>>>>>>>>>>>>>> transfer certificates with private key to users (again
>>>>>>>>>>>>>>>>>>> in safe way). In the end you will also have to think how
>>>>>>>>>>>>>>>>>>> to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since users
>>>>>>>>>>>>>>>>>>> already trust these CA servers.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain?
>>>>>>>>>>>>>>>>>>>>> If yes then the best answer is by using Microsoft
>>>>>>>>>>>>>>>>>>>>> Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

What worked? What were you able to do?

--
Mike
Microsoft MVP - Windows Security

"Frederik Vanderhaeghe" wrote in message
news:e077OobdGHA.3908@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> It worked!
>
> But when it worked it were 2 different webistes on 1 IIS. The second
> website should need to be in the first (Default Web Site), so I made a
> virtual directory under it. Now I set again the settings for SSL, made a
> new certificate, but my choose a certificate list is empty.
>
> Fré
>
> "Miha Pihler [MVP]" wrote in message
> news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
>> As mentioned in my previous posts, SelfSSL will not allow you to issue
>> client authentication certificate (certificate with purpose "Proves your
>> identity to a remote computer"). Is you need certificates with purpose of
>> "Proves your identity to a remote
>> computer" you will either have to:
>> - set up CA server
>> - buy the client authentication certificate (certificate with purpose
>> "Proves your identity to a remote
>> computer")
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" wrote in message
>> news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>>> Hi,
>>>
>>> The certificate is intended for the following purpose(s):
>>> - Ensures the identity of a remote computer
>>> - All issuance policies
>>>
>>> So it doesnt have the intending purpose "Proves your identity to a
>>> remote computer". Is there an option in SelfSSL that I have to use so
>>> that it does have the intending purpose, or what can I do so that it has
>>> it?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" wrote in message
>>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>>> Hi,
>>>>
>>>> Yes -- absolutely. Client will not be able to access the server if
>>>> he/she doesn't have a certificate.
>>>>
>>>> You say that you have the certificate. Which one? Does it allow client
>>>> logon (Does it have intending purpose "Proves your identity to a remote
>>>> computer". Do you have the private key for this certificate? Where is
>>>> stored this certificate on your computer (in which certificate store).
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" wrote in
>>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>>> Don't you mean that when the list is empty that the client is disabled
>>>>> to logon to de web server?
>>>>>
>>>>> I get an empty list, but the certificate is installed on the client
>>>>> pc.
>>>>>
>>>>> Fré
>>>>> "Miha Pihler [MVP]" wrote in message
>>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>> Hi,
>>>>>>
>>>>>> When you configure your IIS server with "Require user certificate"
>>>>>> the server will tell the browser which authentication methods the web
>>>>>> server supports. Now the browser will display a list of certificates
>>>>>> that are available for client authentication.
>>>>>>
>>>>>> List would look something like this:
>>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>>
>>>>>> If client does not have any certificates that would enable him/her
>>>>>> logon to the web server, browser will either display empty list or
>>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>>> required depending on the browser or browser configuration.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>I read your documentation and I still don't know how users can
>>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>I don't really understand this. If they have the certificates -- why
>>>>>>>>would they logon anonymously?
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>>> against your IIS.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>>> certificate?
>>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>>> - go to tab 'content'
>>>>>>>>>>> - click on 'certificates'
>>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>>> - go to the certificate
>>>>>>>>>>> - choose for 'export'
>>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>>
>>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>>
>>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>>> something else needed?)
>>>>>>>>>>>
>>>>>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>>>>>> certification authorities'
>>>>>>>>>>>
>>>>>>>>>>> And then it would have to work?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type of
>>>>>>>>>>>> certificates that you need is user certificate which can't be
>>>>>>>>>>>> generated by SelfSSL, but can be issued by any CA server (it
>>>>>>>>>>>> can be your own CA server or Thawte or VeriSign or any other CA
>>>>>>>>>>>> server).
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>>> working?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>>> Certificates have their intended purpose and in this case
>>>>>>>>>>>>>> they would be different. For the server the intended purpose
>>>>>>>>>>>>>> is "Ensures the identity of a remote computer" and for the
>>>>>>>>>>>>>> client authentication to work it must be "Proves your
>>>>>>>>>>>>>> identity to a remote computer".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are
>>>>>>>>>>>>>>> in the client certificate, then they are logged on as a user
>>>>>>>>>>>>>>> automatically?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>> message news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> How secure would be that -- if you send clients
>>>>>>>>>>>>>>>> certificates (with private keys) in an e-mail. What if
>>>>>>>>>>>>>>>> someone else gets that e-mail (it doesn't matter how) or
>>>>>>>>>>>>>>>> hold of those private keys?
>>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>>>>>> question is will users be allowed to import CA chain onto
>>>>>>>>>>>>>>>> their computers? E.g. in some of my environments users
>>>>>>>>>>>>>>>> don't have that kind of permissions on their computers.
>>>>>>>>>>>>>>>> What will happen if user formats their computer? How much
>>>>>>>>>>>>>>>> work do you expect on supporting these users (it depends on
>>>>>>>>>>>>>>>> number of users). You could talk to administrators of these
>>>>>>>>>>>>>>>> external users for some help. They could deploy CA chain
>>>>>>>>>>>>>>>> using group policy.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate
>>>>>>>>>>>>>>>>>to the clients, by just e-mailing them, and they install
>>>>>>>>>>>>>>>>>the certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>> message
>>>>>>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set
>>>>>>>>>>>>>>>>>>>> up your own CA server (related articles are listed in
>>>>>>>>>>>>>>>>>>>> my previous article) you have to think how users (or
>>>>>>>>>>>>>>>>>>>> you) will safely generate requests and then how you
>>>>>>>>>>>>>>>>>>>> will transfer certificates with private key to users
>>>>>>>>>>>>>>>>>>>> (again in safe way). In the end you will also have to
>>>>>>>>>>>>>>>>>>>> think how to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since
>>>>>>>>>>>>>>>>>>>> users already trust these CA servers.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain?
>>>>>>>>>>>>>>>>>>>>>> If yes then the best answer is by using Microsoft
>>>>>>>>>>>>>>>>>>>>>> Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote
>>>>>>>>>>>>>>>>>>>>>>> in message
>>>>>>>>>>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

Hi,

I got the certificate into my certificate list on the client side, and I was
able to logon to the server.

Fré
"Miha Pihler [MVP]" wrote in message
news:O%23nvyAedGHA.4720@TK2MSFTNGP03.phx.gbl...
> What worked? What were you able to do?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:e077OobdGHA.3908@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> It worked!
>>
>> But when it worked it were 2 different webistes on 1 IIS. The second
>> website should need to be in the first (Default Web Site), so I made a
>> virtual directory under it. Now I set again the settings for SSL, made a
>> new certificate, but my choose a certificate list is empty.
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
>>> As mentioned in my previous posts, SelfSSL will not allow you to issue
>>> client authentication certificate (certificate with purpose "Proves your
>>> identity to a remote computer"). Is you need certificates with purpose
>>> of "Proves your identity to a remote
>>> computer" you will either have to:
>>> - set up CA server
>>> - buy the client authentication certificate (certificate with purpose
>>> "Proves your identity to a remote
>>> computer")
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> The certificate is intended for the following purpose(s):
>>>> - Ensures the identity of a remote computer
>>>> - All issuance policies
>>>>
>>>> So it doesnt have the intending purpose "Proves your identity to a
>>>> remote computer". Is there an option in SelfSSL that I have to use so
>>>> that it does have the intending purpose, or what can I do so that it
>>>> has it?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> Yes -- absolutely. Client will not be able to access the server if
>>>>> he/she doesn't have a certificate.
>>>>>
>>>>> You say that you have the certificate. Which one? Does it allow client
>>>>> logon (Does it have intending purpose "Proves your identity to a
>>>>> remote computer". Do you have the private key for this certificate?
>>>>> Where is stored this certificate on your computer (in which
>>>>> certificate store).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>>>> Don't you mean that when the list is empty that the client is
>>>>>> disabled to logon to de web server?
>>>>>>
>>>>>> I get an empty list, but the certificate is installed on the client
>>>>>> pc.
>>>>>>
>>>>>> Fré
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> When you configure your IIS server with "Require user certificate"
>>>>>>> the server will tell the browser which authentication methods the
>>>>>>> web server supports. Now the browser will display a list of
>>>>>>> certificates that are available for client authentication.
>>>>>>>
>>>>>>> List would look something like this:
>>>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>>>
>>>>>>> If client does not have any certificates that would enable him/her
>>>>>>> logon to the web server, browser will either display empty list or
>>>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>>>> required depending on the browser or browser configuration.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>I read your documentation and I still don't know how users can
>>>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>I don't really understand this. If they have the certificates --
>>>>>>>>>why would they logon anonymously?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>>>> against your IIS.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>>>> certificate?
>>>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>>>> - go to tab 'content'
>>>>>>>>>>>> - click on 'certificates'
>>>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>>>> - go to the certificate
>>>>>>>>>>>> - choose for 'export'
>>>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>>>
>>>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>>>
>>>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>>>> something else needed?)
>>>>>>>>>>>>
>>>>>>>>>>>> Then the user has to import the certificate in his 'Trusted
>>>>>>>>>>>> root certification authorities'
>>>>>>>>>>>>
>>>>>>>>>>>> And then it would have to work?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type
>>>>>>>>>>>>> of certificates that you need is user certificate which can't
>>>>>>>>>>>>> be generated by SelfSSL, but can be issued by any CA server
>>>>>>>>>>>>> (it can be your own CA server or Thawte or VeriSign or any
>>>>>>>>>>>>> other CA server).
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>>>> working?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>>>> Certificates have their intended purpose and in this case
>>>>>>>>>>>>>>> they would be different. For the server the intended purpose
>>>>>>>>>>>>>>> is "Ensures the identity of a remote computer" and for the
>>>>>>>>>>>>>>> client authentication to work it must be "Proves your
>>>>>>>>>>>>>>> identity to a remote computer".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> But would it work if I just make a certificate with
>>>>>>>>>>>>>>>> SelfSSL, then check require secure channel (ssl) and
>>>>>>>>>>>>>>>> require 128-bit encryption. Choose for require client
>>>>>>>>>>>>>>>> certificates.
>>>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are
>>>>>>>>>>>>>>>> in the client certificate, then they are logged on as a
>>>>>>>>>>>>>>>> user automatically?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>> message news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> How secure would be that -- if you send clients
>>>>>>>>>>>>>>>>> certificates (with private keys) in an e-mail. What if
>>>>>>>>>>>>>>>>> someone else gets that e-mail (it doesn't matter how) or
>>>>>>>>>>>>>>>>> hold of those private keys?
>>>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now
>>>>>>>>>>>>>>>>> the question is will users be allowed to import CA chain
>>>>>>>>>>>>>>>>> onto their computers? E.g. in some of my environments
>>>>>>>>>>>>>>>>> users don't have that kind of permissions on their
>>>>>>>>>>>>>>>>> computers. What will happen if user formats their
>>>>>>>>>>>>>>>>> computer? How much work do you expect on supporting these
>>>>>>>>>>>>>>>>> users (it depends on number of users). You could talk to
>>>>>>>>>>>>>>>>> administrators of these external users for some help. They
>>>>>>>>>>>>>>>>> could deploy CA chain using group policy.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate
>>>>>>>>>>>>>>>>>>to the clients, by just e-mailing them, and they install
>>>>>>>>>>>>>>>>>>the certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>> message
>>>>>>>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set
>>>>>>>>>>>>>>>>>>>>> up your own CA server (related articles are listed in
>>>>>>>>>>>>>>>>>>>>> my previous article) you have to think how users (or
>>>>>>>>>>>>>>>>>>>>> you) will safely generate requests and then how you
>>>>>>>>>>>>>>>>>>>>> will transfer certificates with private key to users
>>>>>>>>>>>>>>>>>>>>> (again in safe way). In the end you will also have to
>>>>>>>>>>>>>>>>>>>>> think how to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since
>>>>>>>>>>>>>>>>>>>>> users already trust these CA servers.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your
>>>>>>>>>>>>>>>>>>>>>>> domain? If yes then the best answer is by using
>>>>>>>>>>>>>>>>>>>>>>> Microsoft Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote
>>>>>>>>>>>>>>>>>>>>>>>> in message
>>>>>>>>>>>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

My question now is: is it possible to get an ssl certificate on just a part
of the site? I can only make a certificate on the root site, and that is for
the whole site. I would like to go to the root site with http:// but the
part with SSL with https://

Personally I think it isn't possible, but if it is possible I would like to
know how.

Fré

"Miha Pihler [MVP]" wrote in message
news:O%23nvyAedGHA.4720@TK2MSFTNGP03.phx.gbl...
> What worked? What were you able to do?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:e077OobdGHA.3908@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> It worked!
>>
>> But when it worked it were 2 different webistes on 1 IIS. The second
>> website should need to be in the first (Default Web Site), so I made a
>> virtual directory under it. Now I set again the settings for SSL, made a
>> new certificate, but my choose a certificate list is empty.
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
>>> As mentioned in my previous posts, SelfSSL will not allow you to issue
>>> client authentication certificate (certificate with purpose "Proves your
>>> identity to a remote computer"). Is you need certificates with purpose
>>> of "Proves your identity to a remote
>>> computer" you will either have to:
>>> - set up CA server
>>> - buy the client authentication certificate (certificate with purpose
>>> "Proves your identity to a remote
>>> computer")
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> The certificate is intended for the following purpose(s):
>>>> - Ensures the identity of a remote computer
>>>> - All issuance policies
>>>>
>>>> So it doesnt have the intending purpose "Proves your identity to a
>>>> remote computer". Is there an option in SelfSSL that I have to use so
>>>> that it does have the intending purpose, or what can I do so that it
>>>> has it?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> Yes -- absolutely. Client will not be able to access the server if
>>>>> he/she doesn't have a certificate.
>>>>>
>>>>> You say that you have the certificate. Which one? Does it allow client
>>>>> logon (Does it have intending purpose "Proves your identity to a
>>>>> remote computer". Do you have the private key for this certificate?
>>>>> Where is stored this certificate on your computer (in which
>>>>> certificate store).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>>>> Don't you mean that when the list is empty that the client is
>>>>>> disabled to logon to de web server?
>>>>>>
>>>>>> I get an empty list, but the certificate is installed on the client
>>>>>> pc.
>>>>>>
>>>>>> Fré
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> When you configure your IIS server with "Require user certificate"
>>>>>>> the server will tell the browser which authentication methods the
>>>>>>> web server supports. Now the browser will display a list of
>>>>>>> certificates that are available for client authentication.
>>>>>>>
>>>>>>> List would look something like this:
>>>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>>>
>>>>>>> If client does not have any certificates that would enable him/her
>>>>>>> logon to the web server, browser will either display empty list or
>>>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>>>> required depending on the browser or browser configuration.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>I read your documentation and I still don't know how users can
>>>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>I don't really understand this. If they have the certificates --
>>>>>>>>>why would they logon anonymously?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>>>> against your IIS.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>>>> certificate?
>>>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>>>> - go to tab 'content'
>>>>>>>>>>>> - click on 'certificates'
>>>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>>>> - go to the certificate
>>>>>>>>>>>> - choose for 'export'
>>>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>>>
>>>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>>>
>>>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>>>> something else needed?)
>>>>>>>>>>>>
>>>>>>>>>>>> Then the user has to import the certificate in his 'Trusted
>>>>>>>>>>>> root certification authorities'
>>>>>>>>>>>>
>>>>>>>>>>>> And then it would have to work?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type
>>>>>>>>>>>>> of certificates that you need is user certificate which can't
>>>>>>>>>>>>> be generated by SelfSSL, but can be issued by any CA server
>>>>>>>>>>>>> (it can be your own CA server or Thawte or VeriSign or any
>>>>>>>>>>>>> other CA server).
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>>>> working?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>>>> Certificates have their intended purpose and in this case
>>>>>>>>>>>>>>> they would be different. For the server the intended purpose
>>>>>>>>>>>>>>> is "Ensures the identity of a remote computer" and for the
>>>>>>>>>>>>>>> client authentication to work it must be "Proves your
>>>>>>>>>>>>>>> identity to a remote computer".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> But would it work if I just make a certificate with
>>>>>>>>>>>>>>>> SelfSSL, then check require secure channel (ssl) and
>>>>>>>>>>>>>>>> require 128-bit encryption. Choose for require client
>>>>>>>>>>>>>>>> certificates.
>>>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are
>>>>>>>>>>>>>>>> in the client certificate, then they are logged on as a
>>>>>>>>>>>>>>>> user automatically?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>> message news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> How secure would be that -- if you send clients
>>>>>>>>>>>>>>>>> certificates (with private keys) in an e-mail. What if
>>>>>>>>>>>>>>>>> someone else gets that e-mail (it doesn't matter how) or
>>>>>>>>>>>>>>>>> hold of those private keys?
>>>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now
>>>>>>>>>>>>>>>>> the question is will users be allowed to import CA chain
>>>>>>>>>>>>>>>>> onto their computers? E.g. in some of my environments
>>>>>>>>>>>>>>>>> users don't have that kind of permissions on their
>>>>>>>>>>>>>>>>> computers. What will happen if user formats their
>>>>>>>>>>>>>>>>> computer? How much work do you expect on supporting these
>>>>>>>>>>>>>>>>> users (it depends on number of users). You could talk to
>>>>>>>>>>>>>>>>> administrators of these external users for some help. They
>>>>>>>>>>>>>>>>> could deploy CA chain using group policy.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate
>>>>>>>>>>>>>>>>>>to the clients, by just e-mailing them, and they install
>>>>>>>>>>>>>>>>>>the certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>> message
>>>>>>>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set
>>>>>>>>>>>>>>>>>>>>> up your own CA server (related articles are listed in
>>>>>>>>>>>>>>>>>>>>> my previous article) you have to think how users (or
>>>>>>>>>>>>>>>>>>>>> you) will safely generate requests and then how you
>>>>>>>>>>>>>>>>>>>>> will transfer certificates with private key to users
>>>>>>>>>>>>>>>>>>>>> (again in safe way). In the end you will also have to
>>>>>>>>>>>>>>>>>>>>> think how to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since
>>>>>>>>>>>>>>>>>>>>> users already trust these CA servers.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your
>>>>>>>>>>>>>>>>>>>>>>> domain? If yes then the best answer is by using
>>>>>>>>>>>>>>>>>>>>>>> Microsoft Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote
>>>>>>>>>>>>>>>>>>>>>>>> in message
>>>>>>>>>>>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: require client certificates SSL

If tried something that I thought should work, but it didn't.

I have a Default Web Site with under that 2 other sites: certsrv and
zoekpagina

The settings of Default Web Site for SSL are:
- Require secure channel
- Require 128-bit encryption
- Require client certificates
- Enable client certificate mapping

For the subsites, these properties were also selected automatically.
Zoekpagina has to use SSL but certsrv not, so I deselected the values in the
certsrv properties window, but the certsrv still has to be viewed by
https:// and with a certificate. What needs to be done?

Fré

"Miha Pihler [MVP]" wrote in message
news:O%23nvyAedGHA.4720@TK2MSFTNGP03.phx.gbl...
> What worked? What were you able to do?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" wrote in message
> news:e077OobdGHA.3908@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> It worked!
>>
>> But when it worked it were 2 different webistes on 1 IIS. The second
>> website should need to be in the first (Default Web Site), so I made a
>> virtual directory under it. Now I set again the settings for SSL, made a
>> new certificate, but my choose a certificate list is empty.
>>
>> Fré
>>
>> "Miha Pihler [MVP]" wrote in message
>> news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
>>> As mentioned in my previous posts, SelfSSL will not allow you to issue
>>> client authentication certificate (certificate with purpose "Proves your
>>> identity to a remote computer"). Is you need certificates with purpose
>>> of "Proves your identity to a remote
>>> computer" you will either have to:
>>> - set up CA server
>>> - buy the client authentication certificate (certificate with purpose
>>> "Proves your identity to a remote
>>> computer")
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" wrote in
>>> message news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> The certificate is intended for the following purpose(s):
>>>> - Ensures the identity of a remote computer
>>>> - All issuance policies
>>>>
>>>> So it doesnt have the intending purpose "Proves your identity to a
>>>> remote computer". Is there an option in SelfSSL that I have to use so
>>>> that it does have the intending purpose, or what can I do so that it
>>>> has it?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" wrote in message
>>>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> Yes -- absolutely. Client will not be able to access the server if
>>>>> he/she doesn't have a certificate.
>>>>>
>>>>> You say that you have the certificate. Which one? Does it allow client
>>>>> logon (Does it have intending purpose "Proves your identity to a
>>>>> remote computer". Do you have the private key for this certificate?
>>>>> Where is stored this certificate on your computer (in which
>>>>> certificate store).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" wrote in
>>>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>>>> Don't you mean that when the list is empty that the client is
>>>>>> disabled to logon to de web server?
>>>>>>
>>>>>> I get an empty list, but the certificate is installed on the client
>>>>>> pc.
>>>>>>
>>>>>> Fré
>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> When you configure your IIS server with "Require user certificate"
>>>>>>> the server will tell the browser which authentication methods the
>>>>>>> web server supports. Now the browser will display a list of
>>>>>>> certificates that are available for client authentication.
>>>>>>>
>>>>>>> List would look something like this:
>>>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>>>
>>>>>>> If client does not have any certificates that would enable him/her
>>>>>>> logon to the web server, browser will either display empty list or
>>>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>>>> required depending on the browser or browser configuration.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>I read your documentation and I still don't know how users can
>>>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>I don't really understand this. If they have the certificates --
>>>>>>>>>why would they logon anonymously?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" wrote in
>>>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>>>> against your IIS.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>> in message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>>>> certificate?
>>>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>>>> - go to tab 'content'
>>>>>>>>>>>> - click on 'certificates'
>>>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>>>> - go to the certificate
>>>>>>>>>>>> - choose for 'export'
>>>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>>>
>>>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>>>
>>>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>>>> something else needed?)
>>>>>>>>>>>>
>>>>>>>>>>>> Then the user has to import the certificate in his 'Trusted
>>>>>>>>>>>> root certification authorities'
>>>>>>>>>>>>
>>>>>>>>>>>> And then it would have to work?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type
>>>>>>>>>>>>> of certificates that you need is user certificate which can't
>>>>>>>>>>>>> be generated by SelfSSL, but can be issued by any CA server
>>>>>>>>>>>>> (it can be your own CA server or Thawte or VeriSign or any
>>>>>>>>>>>>> other CA server).
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" wrote
>>>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>>>> working?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in message
>>>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>>>> Certificates have their intended purpose and in this case
>>>>>>>>>>>>>>> they would be different. For the server the intended purpose
>>>>>>>>>>>>>>> is "Ensures the identity of a remote computer" and for the
>>>>>>>>>>>>>>> client authentication to work it must be "Proves your
>>>>>>>>>>>>>>> identity to a remote computer".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> But would it work if I just make a certificate with
>>>>>>>>>>>>>>>> SelfSSL, then check require secure channel (ssl) and
>>>>>>>>>>>>>>>> require 128-bit encryption. Choose for require client
>>>>>>>>>>>>>>>> certificates.
>>>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are
>>>>>>>>>>>>>>>> in the client certificate, then they are logged on as a
>>>>>>>>>>>>>>>> user automatically?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>> message news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> How secure would be that -- if you send clients
>>>>>>>>>>>>>>>>> certificates (with private keys) in an e-mail. What if
>>>>>>>>>>>>>>>>> someone else gets that e-mail (it doesn't matter how) or
>>>>>>>>>>>>>>>>> hold of those private keys?
>>>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now
>>>>>>>>>>>>>>>>> the question is will users be allowed to import CA chain
>>>>>>>>>>>>>>>>> onto their computers? E.g. in some of my environments
>>>>>>>>>>>>>>>>> users don't have that kind of permissions on their
>>>>>>>>>>>>>>>>> computers. What will happen if user formats their
>>>>>>>>>>>>>>>>> computer? How much work do you expect on supporting these
>>>>>>>>>>>>>>>>> users (it depends on number of users). You could talk to
>>>>>>>>>>>>>>>>> administrators of these external users for some help. They
>>>>>>>>>>>>>>>>> could deploy CA chain using group policy.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate
>>>>>>>>>>>>>>>>>>to the clients, by just e-mailing them, and they install
>>>>>>>>>>>>>>>>>>the certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>> message
>>>>>>>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set
>>>>>>>>>>>>>>>>>>>>> up your own CA server (related articles are listed in
>>>>>>>>>>>>>>>>>>>>> my previous article) you have to think how users (or
>>>>>>>>>>>>>>>>>>>>> you) will safely generate requests and then how you
>>>>>>>>>>>>>>>>>>>>> will transfer certificates with private key to users
>>>>>>>>>>>>>>>>>>>>> (again in safe way). In the end you will also have to
>>>>>>>>>>>>>>>>>>>>> think how to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since
>>>>>>>>>>>>>>>>>>>>> users already trust these CA servers.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote in
>>>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your
>>>>>>>>>>>>>>>>>>>>>>> domain? If yes then the best answer is by using
>>>>>>>>>>>>>>>>>>>>>>> Microsoft Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/p kienh.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" wrote
>>>>>>>>>>>>>>>>>>>>>>>> in message
>>>>>>>>>>>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>