Re: Client Side Certificate

From: Paul Glavich [MVP - ASP.NET] (
Date: 05/02/04

Date: Sun, 2 May 2004 22:41:54 +1000

Note that while in theory all these answers are correct, setting up your own
CA and issuing your own client certs does have its quirks. Firstly, you need
to make sure that the "Certificate revocation List" (CRL) is installed on
the web server that you are using your clients certs against. Failure to do
this will mean that the server cannot access the CRL via the internet (I am
assuming its not internet visible) and so not be able to access the CRL to
see if the client cert has been revoked. in this scenario, it assumes all
certs are invalid and rejects everything. We spent some time just figuring
this little trick out. Also, make sure you set up a certificate trust list
so that the server "trusts" your self signed CA certs and therefore also
accepts client certs from your CA.

Finally, if running Win2k, make sure any hotfixes have *all* dependent fixes
installed, or that the Win2k box is up to Sp3 or above. In one instance, our
server team had installed a series of patches, except one, and this omission
also caused the server to reject all client certs. Yet more weeks of tim
debugging this.

I guess what I am trying to say is that in each case, the same error (client
certificate revoked) was shown even though the problem resolution was
different. It can be a lot trickier than you realise, but certainly possible
to get going.

- Paul Glavich
Microsoft MVP - ASP.NET
"A.M" <> wrote in message
> Thanks for help.
> Those 60 clients are our employee, so we define who they trust! The are
> mobile users and they use internet to connect to office.
> Do we need to open that certificate server to public internet?
> Allan
> "" <> wrote
> in message
> > One option is to setup your on Certificate Server and issue your own
> certificates.  This is an install option in Windows 2000 Server and
> later.(Perhaps in earlier OSs but this is what I'm running.)  This is
> if the 60 clients have reason to "trust" your organization as a root
> certificate authority.  You can also issue your own server certificate as
> well.  This works well if trust is established with your clients.  This
> whole scheme depends upon the degree of trust in the certificate
> if you don't trust the CA, don't install their certificates!
> >
> > Eagle