Re: Win2k Cert Server

From: Avi Drabkin (adrabkin@gte.net)
Date: 07/16/02


From: adrabkin@gte.net (Avi Drabkin)
Date: 16 Jul 2002 13:54:47 -0700


Found the solution... however its not documented anywhere I saw!

On Machine 2 go to IE and export the Certificate servers' (machine 1)
certificate from the Trusted Root Certificate Authorities. Right click
on the exported file, and choose Install Certificate. Next choose the
option that allows you to manually select which Store to place the
certificate in.

when the list pops up, make sure you check the Show Physical Stores at
the bottom. Click the + next to Trusted Root Certificate Authorities
and select Local Computer. THATS IT!

It seems that IE knew about my Certificate server, but IIS did not see
it as trusted. Now my IIS server works with my client certificate. I
found this little ASP script on MSDN that will read the properties of
your Client Certificate and display each key:

<HTML>
<HEAD>
</HEAD>
<BODY>
SECURED DOCUMENT<br><br>
<H3>Client certificate</H3>
<% For Each key in Request.ClientCertificate
    Response.Write(key & " = " & Request.ClientCertificate(key) &
"<BR>")
 Next %>
</BODY>
</HTML>

very usefull for troubleshooting, and ensuring that IIS is picking up
the certificate! :)

Hope this helps someone!!

----
AD
adrabkin@gte.net (Avi Drabkin) wrote in message news:<a807ff47.0207151031.7aaccc93@posting.google.com>...
> Has anyone here played around with the Win2k Cert server? We're trying
> to set up secure web services where we control exactly who comes in to
> our website, by issuing our own Certificates.
>  
> Here's my scenario:
>  
> Machine 1: Certserver
> Machine 2: IIS Server
> Machine 3: Client
>  
> I have successfully issued an SSL cert to Machine 2 from Machine 1. I
> have also downloaded and installed the Certification Path, as well as
> the server revocation list on Machine 2. My Certserver shows up in the
> list of Trusted Certificate Authorities on Machine 2.
>  
> I am able to go to machine 2 via SSL, when I look at the cert,
> everything is peachy.
>  
> Using Machine 3, I get a Client Cert from Machine 1. Verify that it
> has installed properly.
>  
> On Machine 2, I enable Require SSL, and Require Client Cert. I even
> export Machine 3's Client cert, and add it to the 1 to 1 Cert Mapping
> to the Administrator account.
>  
> On Machine 3, whenever I go to the ssl site, it says "This Page
> requires a client Certificate"
>  
> all machines are on a local LAN.... all machines are on separate
> domains, but I don't think that should matter... should it?...
> 
> Any insight would be great!
> Please send responses to adrabkin@gte.net
> 
> Thanks,
> Avi


Relevant Pages

  • Re: Active Directory Federation Services
    ... How do I get a Microsoft CA to issue me a client cert? ... option for client certificate. ... There is a user certificate, ... I'm not an FSP expert by any means, but I might be able to help here. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory Federation Services
    ... A "user" certificate should work, as they generally have the "client ... I don't use the FSP in my production environment at all. ... How do I get a Microsoft CA to issue me a client cert? ... option for client certificate. ...
    (microsoft.public.windows.server.active_directory)
  • Re: TLS Handshake issue
    ... on the server certficate if I do not supply the MANUAL_VALIDATION flag? ... certificate and then sent my client certificate? ... should get SEC_E_CERT_EXPIRED if the server cert is expired. ...
    (microsoft.public.platformsdk.security)
  • Re: Validating client cert from request
    ... Actually, if they want you to verify their certificate, that would be the ... server certificate, not the client certificate. ... would be the cert you provide BEFORE you connect that they would validate on ... you may not need to do much to validate the server certificate at ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS Certificate Mapping password retreival
    ... The password retrieval is in IIS's Certificate Mapping, ... To achieve cert mapping for IIS you need to have the cert ... > SubjectAlternate field) of the client certificate that gets issued. ...
    (microsoft.public.inetserver.iis.security)