Re: SSL client certificate authentication

From: David Cross [MS] (
Date: 04/05/03

From: "David Cross [MS]" <>
Date: Fri, 4 Apr 2003 21:12:58 -0800

The list is populated by IE based on the list of root CA certs that the IIS
machine trusts.

David B. Cross [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Neel" <> wrote in message
> Hi All,
> I tried out doing the SSL client certificate authentication in the
> following way as explained  below. But there is some problem and the
> web site doesn't open in the client machine...
> 1> I have installed the stand-alone root CA for generating the
> certificates to be stored in the local machine.
> 2> When I install the microsoft certificate services, the root CA gets
> installed in the trusted  root certificate Authority root store.
> 3> Using the microsoft certificate services web page, i request a
> client and a server  certificate. The server certificate is installed
> in the server machine and gets stored in the  Intermediate CA. The
> client certificate is installed in the client machine and gets stored
> in the  Intermediate CA again.
> 4> Now in the IIS wizard, i go to the directory security tab.
> * In the Anonymous access and authentication control section, i have
> not enabled any of the  authentication methods like Anonymous,
> BAsic,Digest or Integrated windows authentication.
> Here only certificate authentication is needed. So i went to the
> secure communication section to,
> * map a server certificate that i have generated and installed before.
> * I go to the Edit section, enable the Require secure channel and
> Require client certificate.
> * But i don't do any mapping of the client certificate to the windows
> user account.
> I am not doing this mapping because if that happens, then all the
> client certificates have to be  compulsorily placed in the server
> machine,which is not correct.
> I have thought the working of this SSL client cetificate
> authentication this way :-
> a> I  just enable the SSL communication and to accept the client
> certificate in the server.
> b> Get the client certificate in the client PC and install it in the
> Intermediate CA.
> c> Now, when i type https:// address of server>/Test, the server
> certificate should be presented and  later the client authentication
> dialog box has to appear with the client certificate in the list.  But
> here i have a doubt, on what basis does the client certificate gets
> listed in the client  authentication dialog box? Does it have any
> connection with the user?
> Is the mapping of certificate mandatory here?
> Thanx
> Neel