Re: creating multiple client certificates

On Jul 10, 6:09 am, Alastair <Alast...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
 Hi All,

We have a requirement to connect a few pcs and windows mobile devices across
the internet to an internal webserver. We would like to have SSL connections
and the additional security of client certificates.

We have a CA server (which is also an Exchange server to create certificates
for Outlook Web/Mobile access). And have set up the webserver, enabled SSL
with a server cert from the CA, but now want to enable client certificates
for the internal webserver, so we can distribute to all of the clients.

Can I just make one client cert that I put on all of the clients (if so how
exactly?), or do I have to connect each client to the CA's Certsrv to get the
client cert? (I don't want to do the client cert/user account mapping).

Any help/advice appreciated

Many thanks,

Al


I do not understand what you are trying to accomplish with the client
certificate. Based on your description, the certificate does not add
security but does add hassle for you, so I am not certain what you are
trying to accomplish. If you do not map or otherwise validate the
client certificate, then anyone can send anything and simply bypass
this added "security".

Furthermore, to be effective security, a Client Certificate must be
directly presented between the client and the server. Internal server
may go through some NAT layer, which would prevent this scheme from
being secure since to the web server, the traffic is originating from
the NAT, not end-client. What you'd end up with is SSL certificate
termination at the NAT instead of internal webserver, which is not the
security improvement you are looking for.

Finally, how to put certificates on a given device depends on the
device. From a security perspective, this process cannot be initiated
by the client, so you have to physically install a certificate onto
the client device -- there is no way for the client to remotely
connect and install the certificate because that is insecure.

In short, I am really wondering about your requirement because as
described, it is not accomplishing its goal of providing additional
security, so I really do not know what is required -- the
certificates, increased security, or something else.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

Relevant Pages

  • Re: Web Service Security
    ... The asmx file security is now set to 'ignore client certificates.' ... Viewing the certificate using the View Certificate button under directory ... you must install the certificate with a private key (usually ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • WSE and X509 trouble
    ... i've some question about security with x509 that are not clear to me ... are these steps correct to make a security soap based test ... now wizard tell me to choose the certificate to use for client ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • WSE -3.0 WebServices Deployement in IIS Server
    ... I have developed Web services based on WSE3.0 X.509 Certificate ... services and client application working fine with out any issues. ... I am getting following error message, I think some security settings ...
    (microsoft.public.dotnet.framework.webservices)
  • WSE -3.0 Deployement in IIS Server Issues
    ... I have developed Web services based on WSE3.0 X.509 Certificate ... services and client application working fine with out any issues. ... I am getting following error message, I think some security settings ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: (New Subject): How to eliminate prompt for credentials when using RPC over HTTP
    ... > that it is installed on the client running Outlook 2003. ... > *Certificate Configuration* ... > Security Alert pops up regarding the certificate. ...
    (microsoft.public.windows.server.sbs)