Web Service security using client certificate and IIS client certi
am 04.08.2006 01:43:02 von Andrei JohannFirst, excuses for my English, i am not a native speaker ;-)) ⦠here we go â¦
I have developed a Web Service and configure it (IIS 6.0) to require SSL and
a Client Certificate to be accessed.
I've generated three certificates (a chain), in order to reproduce the
process of web authentication with certificates.
It was generated a root self-signed CA certificate (CN = AC RAIZ NOVO), an
intermediate CA certificate (CN = AC INTERMEDIARIA NOVO) signed with the root
certificate and an End Entity certificate (CN = ANDREI NOVO:77777777777777)
signed with the intermediate certificate. (The generated certificates are
attached to the .zip file)
I've installed the chain in the Local Computer STORE on the Web Server
executing the Web Service, so I would be able to present my client
certificate (CN = ANDREI NOVO:77777777777777) to establish the trust
connection â¦
I've have also created the CRL files issued (signed) by the CAs (CN = AC
RAIZ NOVO and CN = AC INTERMEDIARIA NOVO) certificates, and made them
available at the address configured on the CRLDistributionPoints extensions
of the certificates ⦠The client End Entity certificate (CN = ANDREI
NOVO:77777777777777, Serial Number = 33 33) was added to the CA (CN = AC
INTERMEDIARIA NOVO) CRL file.
Because the client certificate (CN = ANDREI NOVO:77777777777777) is present
in the certification revocation list issued by its issuer (CN = AC
INTERMEDIARIA NOVO), and this crl is pointed at the CRLDistributionPoints
certificate extension, it was expected to be refused when it tries to access
the resource, but it does not happens. This behavior occurs only with the
certificates I have generated..
With others client certificates (REVOKED), the IIS Service blocks the access
to the resource (Web Service) â¦
I have tried besides, do not publish any crl file at the address configured
at the CRLDistributionPoints certificate extension, to see if the IIS Service
blocks this certificate, but I did not have success.
Both situations, it was expected to receive the HTTP 403.13 - Forbidden:
Client certificate revoked , but the access to the Web Service is granted.
Maybe, I am generating the Certificate or CRL in an incorrect format, I
don't know .. but i thought that IIS should deny access for invalid
certificates anyway...
The IIS Web Server, where the accessed Web Service is hosted, is configured
to check the CRL (Certification Revocation List) and it really does with
other certificates â¦
If somebody could help me solve this problem I would be very thankful â¦
See attachments ⦠(OPS ... Is there a way of posting an attachment here ? )