Re: Win2k Cert Server

From: Avi Drabkin (
Date: 07/16/02

From: (Avi Drabkin)
Date: 16 Jul 2002 13:54:47 -0700

Found the solution... however its not documented anywhere I saw!

On Machine 2 go to IE and export the Certificate servers' (machine 1)
certificate from the Trusted Root Certificate Authorities. Right click
on the exported file, and choose Install Certificate. Next choose the
option that allows you to manually select which Store to place the
certificate in.

when the list pops up, make sure you check the Show Physical Stores at
the bottom. Click the + next to Trusted Root Certificate Authorities
and select Local Computer. THATS IT!

It seems that IE knew about my Certificate server, but IIS did not see
it as trusted. Now my IIS server works with my client certificate. I
found this little ASP script on MSDN that will read the properties of
your Client Certificate and display each key:

<H3>Client certificate</H3>
<% For Each key in Request.ClientCertificate
    Response.Write(key & " = " & Request.ClientCertificate(key) &
 Next %>

very usefull for troubleshooting, and ensuring that IIS is picking up
the certificate! :)

Hope this helps someone!!

AD (Avi Drabkin) wrote in message news:<>...
> Has anyone here played around with the Win2k Cert server? We're trying
> to set up secure web services where we control exactly who comes in to
> our website, by issuing our own Certificates.
> Here's my scenario:
> Machine 1: Certserver
> Machine 2: IIS Server
> Machine 3: Client
> I have successfully issued an SSL cert to Machine 2 from Machine 1. I
> have also downloaded and installed the Certification Path, as well as
> the server revocation list on Machine 2. My Certserver shows up in the
> list of Trusted Certificate Authorities on Machine 2.
> I am able to go to machine 2 via SSL, when I look at the cert,
> everything is peachy.
> Using Machine 3, I get a Client Cert from Machine 1. Verify that it
> has installed properly.
> On Machine 2, I enable Require SSL, and Require Client Cert. I even
> export Machine 3's Client cert, and add it to the 1 to 1 Cert Mapping
> to the Administrator account.
> On Machine 3, whenever I go to the ssl site, it says "This Page
> requires a client Certificate"
> all machines are on a local LAN.... all machines are on separate
> domains, but I don't think that should matter... should it?...
> Any insight would be great!
> Please send responses to
> Thanks,
> Avi