Re: How do you create client certificates?

Hi David,

Thanks again for your help, and forgive my ignorance, but how do I actually
create the client certificate for the user from the CA? When I select User
Certificate in Certsrv it only seems to give an option for 'exchange' as
certificate usage. I've the resulting certificate on the client machine to
connect to the website, but it just gives me an empty box to choose the
certificate?

Thanks,
Alastair

"David Wang" wrote:

You can issue Client Certificates from your CA. And only enable
ClientCertificate-based Authentication on the IIS website that you
want the external users to access.

And setup your IIS website which uses Client Certificate-based
Authentication to Require Client Certificates. IIS supports Client
Certificate Mapping Authentication where you map each Client
Certificate to individual AD User accounts, and thereafter ACL
everything according to the AD User accounts.

You control which websites have this ClientCertificate mapping
enabled, so even when they take that client certificate elsewhere to
your Exchange Server or other websites which don't have Client
Certificate-based authentication enabled, it won't have the mapping
for any AD User accounts, and they'll need to provide real user
credentials for access.

If you want to do customized Client Certificate-based Authentication
mapping, you will have to write your own extensibility module.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Jun 3, 8:14 am, Alastair <Alast...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Hi David,
Thanks for your reply. The way we have it, our CA server is also our
exchange server, and we have a second server which is the SSL website. I
would like to have client certificates to send out for the website users
(external to our company) to use as an additional security measure, but would
like the user certificates to be specific to that server -i.e. they can't use
those certificates to access our exchange server's site, or any other SSL
sites we plan to publish.

Is this possible? And do I still get the client certificates from the CA
server?

Many thanks.


.

Relevant Pages

  • Re: Change Domain Name or ?????
    ... CEICW will generate the SSL cert for whatever name you want to give it - you just have to get the domain registrar to create an additional A record for you for, say, server.mycompany.com, and use that for remote access and and your certificate name. ... The client now has a website (NOT hosted on the SBS box). ... Email domain name mycompany.com (hosted on the SBS Server) ...
    (microsoft.public.windows.server.sbs)
  • Re: Help! SSL Certificate Problem
    ... Mike G wrote: ... I purchased a certificate and installed on my server so ... continue to this website. ...
    (microsoft.public.exchange.admin)
  • isa2k question
    ... server and it works fine for http. ... certificate purchased from Comodo. ... Locally I can hit the website over SSL. ...
    (microsoft.public.windows.server.sbs)
  • Re: setting up one ssl website that houses mulitple websites with only port numbers
    ... I don't understand the question - you can assign a certificate to a single ... web site, it does not affect other sites setup on the box. ... However on this server it houses multiple ... How do I install the certificate for one website ...
    (microsoft.public.inetserver.iis.security)
  • Re: SSL Problem! weird - URGENT !
    ... Do you only have 1 website on this server? ... perhaps the browser is going to a site that doesn't have a ... >>> certificate (as u know am putting ip address not the ...
    (microsoft.public.inetserver.iis.security)