Client certificate beginners help!

Client certificate beginners help!

am 24.09.2007 11:36:41 von zzgfzldv

Hi

I am new to understanding certificates and I have looked at a mass of
information on the web, but I am still not clear as to what I need to
progress.

We have created a web application, which is to be accessed by our
clients (about 10). We have purchased a server certificate from
Verisign so the website is accessed over SSL. The clients need to
login to the website using userid/password etc, however we would like
a further security mechanism such as a client certificate.

The idea would be to issue each client with a certificate on a CD
which would be unique to that client, which they would then install.

I have created a CA server which is seperate from our web server. I
installed this as a standalone Root CA. I can then browse to
http://caserver/certserv and request an advanced certificate which I
complete with the clients details. I can then import this certificate
into Internet Explorer certificates under the Personal tab.

I am sure there is more I need to do, but am not sure where to start.
I have heard about Chains, and using a company certificate to sign
your own, but am not sure how to go about doing this.

Any help would be appreciated.

Many thanks in advance.

Re: Client certificate beginners help!

am 25.09.2007 10:32:33 von David Wang

On Sep 24, 2:36 am, zzgfz...@trashmail.net wrote:
> Hi
>
> I am new to understanding certificates and I have looked at a mass of
> information on the web, but I am still not clear as to what I need to
> progress.
>
> We have created a web application, which is to be accessed by our
> clients (about 10). We have purchased a server certificate from
> Verisign so the website is accessed over SSL. The clients need to
> login to the website using userid/password etc, however we would like
> a further security mechanism such as a client certificate.
>
> The idea would be to issue each client with a certificate on a CD
> which would be unique to that client, which they would then install.
>
> I have created a CA server which is seperate from our web server. I
> installed this as a standalone Root CA. I can then browse tohttp://caserver/certservand request an advanced certificate which I
> complete with the clients details. I can then import this certificate
> into Internet Explorer certificates under the Personal tab.
>
> I am sure there is more I need to do, but am not sure where to start.
> I have heard about Chains, and using a company certificate to sign
> your own, but am not sure how to go about doing this.
>
> Any help would be appreciated.
>
> Many thanks in advance.



Actually, you have all of the pieces correct. The only thing you have
to do is to install the public key of your CA server's signing key
into the Trusted Root store of your Web Server. You can easily obtain
this public key from the CA server by downloading the CER/PVK file
containing the "complete trust chain" instead of just the CER file at
the end.

Here's the quick explanation of what's going on:
1. Your CA server has a web site which issues client certificates
signed with the CA server's private key.
2. You import this signed client certificate onto the web browser's
machine, which allows it to be sent as client certificate for SSL
authentication
3. When the server gets this client certificate, it NEEDS to trust the
public key which signs the client certificate -- this trust is what
allows the server to believe that the client is who they say they are,
which is the point of Client Certificate Authentication.

You've already done #1 and #2. Step #3 requires that you install the
public key of the CA server's signing key into the Trusted Root store
of your web server to complete the trust chain.

You don't need company certificates, nor chains, etc. Yes, they can
establish the same missing trust as above but through a different
route. I'm just telling you the most direct route which costs nothing
because it is the cheapest, hassle-free way to correctly complete the
trust that you need for SSL Client Certificate Authentication.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Client certificate beginners help!

am 26.09.2007 12:38:51 von zzgfzldv

Many thanks for your reply David. It makes sense in theory, however
could you please explain to me how I download the public key from the
CA server as I cannot find the option.

Sorry to seem thick!!!

>
>Actually, you have all of the pieces correct. The only thing you have
>to do is to install the public key of your CA server's signing key
>into the Trusted Root store of your Web Server. You can easily obtain
>this public key from the CA server by downloading the CER/PVK file
>containing the "complete trust chain" instead of just the CER file at
>the end.
>
>Here's the quick explanation of what's going on:
>1. Your CA server has a web site which issues client certificates
>signed with the CA server's private key.
>2. You import this signed client certificate onto the web browser's
>machine, which allows it to be sent as client certificate for SSL
>authentication
>3. When the server gets this client certificate, it NEEDS to trust the
>public key which signs the client certificate -- this trust is what
>allows the server to believe that the client is who they say they are,
>which is the point of Client Certificate Authentication.
>
>You've already done #1 and #2. Step #3 requires that you install the
>public key of the CA server's signing key into the Trusted Root store
>of your web server to complete the trust chain.
>
>You don't need company certificates, nor chains, etc. Yes, they can
>establish the same missing trust as above but through a different
>route. I'm just telling you the most direct route which costs nothing
>because it is the cheapest, hassle-free way to correctly complete the
>trust that you need for SSL Client Certificate Authntication.
>
>
>//David
>http://w3-4u.blogspot.com
>http://blogs.msdn.com/David.Wang
>//

Re: Client certificate beginners help!

am 27.09.2007 07:59:28 von David Wang

Actually, the public key is very easy to obtain.

Double click on the Client Certificate CER file that you've download.
Navigate to "Certification Path" tab and click on the root certificate
(it's going to have a red X through it since it's not trusted). View
that Certificate, then choose to Install Certificate.

It'd be analogous to intentionally doing the installation. With
Microsoft Cert Server, I paste in the filename of the advanced request
that I generated and hit "next". I arrive at /certsrv/certfnsh.asp
which issues the client certificate to me. At that point, I have two
options:
- Download certificate
- Download certificate chain

Choose to download the certificate chain, and it will come with the
public key of the CA Server that you need.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Sep 26, 3:38 am, zzgfz...@trashmail.net wrote:
> Many thanks for your reply David. It makes sense in theory, however
> could you please explain to me how I download the public key from the
> CA server as I cannot find the option.
>
> Sorry to seem thick!!!
>
>
>
>
>
> >Actually, you have all of the pieces correct. The only thing you have
> >to do is to install the public key of your CA server's signing key
> >into the Trusted Root store of your Web Server. You can easily obtain
> >this public key from the CA server by downloading the CER/PVK file
> >containing the "complete trust chain" instead of just the CER file at
> >the end.
>
> >Here's the quick explanation of what's going on:
> >1. Your CA server has a web site which issues client certificates
> >signed with the CA server's private key.
> >2. You import this signed client certificate onto the web browser's
> >machine, which allows it to be sent as client certificate for SSL
> >authentication
> >3. When the server gets this client certificate, it NEEDS to trust the
> >public key which signs the client certificate -- this trust is what
> >allows the server to believe that the client is who they say they are,
> >which is the point of Client Certificate Authentication.
>
> >You've already done #1 and #2. Step #3 requires that you install the
> >public key of the CA server's signing key into the Trusted Root store
> >of your web server to complete the trust chain.
>
> >You don't need company certificates, nor chains, etc. Yes, they can
> >establish the same missing trust as above but through a different
> >route. I'm just telling you the most direct route which costs nothing
> >because it is the cheapest, hassle-free way to correctly complete the
> >trust that you need for SSL Client Certificate Authntication.
>
> >//David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> >//- Hide quoted text -
>
> - Show quoted text -

Re: Client certificate beginners help!

am 28.09.2007 17:27:36 von zzgfzldv

Awwwww I'm really not having much luck with this! I think I followed
the instruction below but while I no longer get the red X, I get an
error when I try and access the website (the standard Internet
Explorer cannot display webpage).

Going back a step, on the client machine, should the certificate be
installed into the personal tab or the Other People tab?

I think what I really need is a step-by-step idiots guide! Is such a
thing available?

>Actually, the public key is very easy to obtain.
>
>Double click on the Client Certificate CER file that you've download.
>Navigate to "Certification Path" tab and click on the root certificate
>(it's going to have a red X through it since it's not trusted). View
>that Certificate, then choose to Install Certificate.
>
>It'd be analogous to intentionally doing the installation. With
>Microsoft Cert Server, I paste in the filename of the advanced request
>that I generated and hit "next". I arrive at /certsrv/certfnsh.asp
>which issues the client certificate to me. At that point, I have two
>options:
>- Download certificate
>- Download certificate chain
>
>Choose to download the certificate chain, and it will come with the
>public key of the CA Server that you need.
>
>

Re: Client certificate beginners help!

am 29.09.2007 08:16:44 von David Wang

The client certificate needs to be installed into the personal tab.

The public key of the CA needs to be installed into the trusted root
tab.

Please clarify the exact error that results in the IE Friendly Error
page. Either turn of IE's "Show Friendly HTTP Errors" option, or
report the log entry on your web server which corresponds to the
failing response.

There are probably step-by-step guides available, but I haven't needed
any of them so I don't know of any.

Certificate stuff tends to be hard because everything needs to be
perfect.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Sep 28, 8:27 am, zzgfz...@trashmail.net wrote:
> Awwwww I'm really not having much luck with this! I think I followed
> the instruction below but while I no longer get the red X, I get an
> error when I try and access the website (the standard Internet
> Explorer cannot display webpage).
>
> Going back a step, on the client machine, should the certificate be
> installed into the personal tab or the Other People tab?
>
> I think what I really need is a step-by-step idiots guide! Is such a
> thing available?
>
>
>
> >Actually, the public key is very easy to obtain.
>
> >Double click on the Client Certificate CER file that you've download.
> >Navigate to "Certification Path" tab and click on the root certificate
> >(it's going to have a red X through it since it's not trusted). View
> >that Certificate, then choose to Install Certificate.
>
> >It'd be analogous to intentionally doing the installation. With
> >Microsoft Cert Server, I paste in the filename of the advanced request
> >that I generated and hit "next". I arrive at /certsrv/certfnsh.asp
> >which issues the client certificate to me. At that point, I have two
> >options:
> >- Download certificate
> >- Download certificate chain
>
> >Choose to download the certificate chain, and it will come with the
> >public key of the CA Server that you need.- Hide quoted text -
>
> - Show quoted text -

Re: Client certificate beginners help!

am 02.10.2007 13:02:28 von zzgfzldv

Thanks for your help so far David, I think I am almost there! I have
managed to get it working, however now trying to reproduce it on
another machine I am still having problems.

I am finding importing the client certificate into the personal tab
hit and miss, sometimes it goes in, but most of the time it doesnt. I
cant work out why it does sometimes and not others. Is this to do
with the way I have created the certificate, or the way I am importing
it, or something else?

Many thanks


On Sat, 29 Sep 2007 06:16:44 -0000, David Wang
wrote:

>The client certificate needs to be installed into the personal tab.
>
>The public key of the CA needs to be installed into the trusted root
>tab.
>
>Please clarify the exact error that results in the IE Friendly Error
>page. Either turn of IE's "Show Friendly HTTP Errors" option, or
>report the log entry on your web server which corresponds to the
>failing response.
>
>There are probably step-by-step guides available, but I haven't needed
>any of them so I don't know of any.
>
>Certificate stuff tends to be hard because everything needs to be
>perfect.
>
>
>//David
>http://w3-4u.blogspot.com
>http://blogs.msdn.com/David.Wang
>//

Re: Client certificate beginners help!

am 02.10.2007 23:49:16 von David Wang

Those are all factors. If you want something to be reproducible, then
you have to limit the variations. Doing things by hand can introduce
human variations (i.e. errors).

You can write simple automation code to consistently load and install
certificates into the right store, so that problem can be eliminated.

You can write XEnroll automation code against your CA to consistently
create the certificates that you need, so that problem can also be
eliminated


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Oct 2, 4:02 am, zzgfz...@trashmail.net wrote:
> Thanks for your help so far David, I think I am almost there! I have
> managed to get it working, however now trying to reproduce it on
> another machine I am still having problems.
>
> I am finding importing the client certificate into the personal tab
> hit and miss, sometimes it goes in, but most of the time it doesnt. I
> cant work out why it does sometimes and not others. Is this to do
> with the way I have created the certificate, or the way I am importing
> it, or something else?
>
> Many thanks
>
> On Sat, 29 Sep 2007 06:16:44 -0000, David Wang
> wrote:
>
>
>
> >The client certificate needs to be installed into the personal tab.
>
> >The public key of the CA needs to be installed into the trusted root
> >tab.
>
> >Please clarify the exact error that results in the IE Friendly Error
> >page. Either turn of IE's "Show Friendly HTTP Errors" option, or
> >report the log entry on your web server which corresponds to the
> >failing response.
>
> >There are probably step-by-step guides available, but I haven't needed
> >any of them so I don't know of any.
>
> >Certificate stuff tends to be hard because everything needs to be
> >perfect.
>
> >//David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> >//- Hide quoted text -
>
> - Show quoted text -

Re: Client certificate beginners help!

am 03.10.2007 10:45:10 von zzgfzldv

but should it simply be a case of right clicking on the client
certificate and selecting install certificate and then selecting
personal store (on the client machine)?


On Tue, 02 Oct 2007 21:49:16 -0000, David Wang
wrote:

>Those are all factors. If you want something to be reproducible, then
>you have to limit the variations. Doing things by hand can introduce
>human variations (i.e. errors).
>
>You can write simple automation code to consistently load and install
>certificates into the right store, so that problem can be eliminated.
>
>You can write XEnroll automation code against your CA to consistently
>create the certificates that you need, so that problem can also be
>eliminated
>
>
>//David
>http://w3-4u.blogspot.com
>http://blogs.msdn.com/David.Wang
>//

Re: Client certificate beginners help!

am 04.10.2007 01:42:51 von David Wang

I've never installed it that way so I can't say.

I can only say that I've only used automation to install certificates,
and it's never given me random results that you are having.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//






On Oct 3, 1:45 am, zzgfz...@trashmail.net wrote:
> but should it simply be a case of right clicking on the client
> certificate and selecting install certificate and then selecting
> personal store (on the client machine)?
>
> On Tue, 02 Oct 2007 21:49:16 -0000, David Wang
> wrote:
>
>
>
> >Those are all factors. If you want something to be reproducible, then
> >you have to limit the variations. Doing things by hand can introduce
> >human variations (i.e. errors).
>
> >You can write simple automation code to consistently load and install
> >certificates into the right store, so that problem can be eliminated.
>
> >You can write XEnroll automation code against your CA to consistently
> >create the certificates that you need, so that problem can also be
> >eliminated
>
> >//David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> >//- Hide quoted text -
>
> - Show quoted text -