Restrict website access based on certificate
Date: 10/29/03

Date: 29 Oct 2003 01:28:15 -0800

Hi all!

I would like to know how I can restrict access to a specific website
or subdirectory in a website based on certificates.

I have a webbased administration interface for a website that I
administer. This is in a subdirectory on the webserver. This
subdirectory has restricted access based on IP addresses and
passwords, but unfortunately I also have people that need access to
this who are on dynamic IP addresses.

So I would like to just have them install a certificate on their
client machine and have this be the authentication. I am not sure if I
can issue a personal certificate to each client so I can "turn off"
certain clients if I want to.

I am not interested in these certificates being authenticated or
issued by somebody like Verisign. I just want to issue them myself.

What would I need for this scenario? I have a Windows 2003 server
where this runs. The application is programmed in C# and ASP.NET.

I would need to install a Certificate Server on the webserver to issue
certificates, that much I know. But how do I configure IIS to request
the certificates from the clients.

What are the security implications with this approach as opposed to
the IP filter?

All the best, and thank you in advance for your time.