Re: creating multiple client certificates

On Jul 14, 12:55 am, Alastair <Alast...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Hi David,
thanks for your reply. Perhaps I’m getting the wrong idea of certificates.
I’ll try to explain what we want to do, our setup is as follows: firewall
connected to the internet which allows a port (not 443) through to the port
configured as ssl on the iis server. We want to only allow the 10 or so PC’s
and WM6 devices through that we have configured to connect.  
This is where we thought that having a client certificate would provide
additional security (by stopping any other pc connecting), i.e. we would
manually install the client cert (only applicable to the iis server) only on
the authorised pc’s/wm6 devices. To gain access to the web application, the
user has to enter a username/password, so the client cert does not have to
authenticate the user onto the active directory.
If we use no client cert at all, are we making the IIS server more
vulnerable to any security problems by opening the firewall port through to
that server?

Thanks again for your help, it is much appreciated!

Alastair.


To me, your usage of Client Certificate does not improve security.

By opening the firewall port, you are allowing SSL traffic to IIS.
Client Certificate does not affect any "security problems" due to such
opening.

Client Certificate is something negotiated on that SSL handshake, but
unless something authorizes based on the certificate, providing it is
useless and does not improve security.

IIS Certificate Mapping only performs an authentication mapping -- no
authorization -- so you will need to provide custom code to perform
your custom authorization scheme to lock down access.

Personally, the username/password should be sufficient lockdown to
those users.

The certificate help lockdown further to only those devices, assuming
you've taken care to not allow those certificates to be copied and
transferred between devices.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

Relevant Pages

  • IIS 5 and client certificates - odd behaviour
    ... We have an IIS server on our test system that has pages setup to accept ... We have the root certificate of the CA issuing the ... using for testing has a client certificate is issued by an intermediate CA ...
    (microsoft.public.inetserver.iis)
  • Re: Active Directory Federation Services
    ... How do I get a Microsoft CA to issue me a client cert? ... option for client certificate. ... There is a user certificate, ... I'm not an FSP expert by any means, but I might be able to help here. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL client certificate authentication
    ... The list is populated by IE based on the list of root CA certs that the IIS ... > 2> When I install the microsoft certificate services, ... > client certificate is installed in the client machine and gets stored ... > * In the Anonymous access and authentication control section, ...
    (microsoft.public.win2000.security)
  • SSL client certificate authentication
    ... I tried out doing the SSL client certificate authentication in the ... 2> When I install the microsoft certificate services, ...
    (microsoft.public.win2000.security)
  • Re: Windows Mobile + https + clientcertificates?
    ... the Crypto APIs returned the correct certificate? ... client certificate for which you have an associated private key. ... have an HTTP status of 500, internal server error, and no results). ...
    (microsoft.public.windowsce.app.development)