Re: IIS 6 behavior on checking clients' certificates (again)

From: Bernard Cheah [MVP] (qbernard_at_hotmail.com.discuss)
Date: 09/19/05

• Next message: Paul Adare: "Re: Certificate Service"
• Previous message: Ray: "Re: Certificate Service"
• Maybe in reply to: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
• Next in thread: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 19 Sep 2005 16:09:26 +0800

So you skip installing the whole cert chain ?
was it the due to CRL expiration ?

-- 
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Vsevolod" <Vsevolod@discussions.microsoft.com> wrote in message 
news:2EF41538-1B82-4885-94EA-BD1E288160E4@microsoft.com...
> Hello, Brian !
>
> "Brian Komar [MVP]" wrote:
>> >
>> Run two tests for me:
>>
>> At the client, run certutil -verify -urlfetch <certfile>
>> against the Web server certificate as the certfile.
>>
>> Do the same test at the Web server against the client certificate as the
>> certfile.
>>
>> Post the output.  You may have to load the 2k3 Adminpak at both the IIS
>> 6.0 server and at the XP client to run the command. My bet is that,
>> because you used the default configuration, there are issues with the
>> AIA and CDP extensions.
>  Brian, you won :) I'm fool :(
>  After I have run certutils at the Web server against the client
> certificate I saw that almost everything is Ok excepting expired Delta CRL
> for client certificate issuer. After pubishing new one my problem have
> disapeared.
>
>   I'm very grateful you for your assistance.
>
>   My conclusions :
>   1. IIS 6 requires mandatory CDP & AIA certificate extensions for correct
> certificate chain building while IIS 5 doesn't.
>    2. All basic & Delta CRL have to be valid and not expired.
>
>    Am I right ?
>
>
> BR,
> Vsevolod. 

• Next message: Paul Adare: "Re: Certificate Service"
• Previous message: Ray: "Re: Certificate Service"
• Maybe in reply to: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
• Next in thread: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Evading Client-Certificate Authentication ... Im not one to argue semantics, but "stumbling" upon a web server during ... customer needs to generate a client certificate for you. ... stunnel can use and viola - instant client certificate proxy. ... >whilst in the middle of a Penetration Test I stumbled on a web server only ... (Pen-Test) Re: Reg. CRL in Digital Cert. ... but it will only download the CRL once and use until it expires. ... >>I have server cert. ... how and how frequently the web server ... >>client certificate is revoked in the CA. ... (microsoft.public.win2000.security) Re: Client Certificate User Mapping ... As the article you included stated: For Active Directory Service Mapping of ... Certificates the web server has to be member of the domain. ... Configure Client Certificate Mappings in Internet ... (microsoft.public.inetserver.iis) Client Certificate ... I am building a HTTPS web application for our own staff to access the ... company's web server through the Internet. ... The web server is installed with a server certificate, ... HTTP header of a valid client certificate. ... (microsoft.public.win2000.security) Re: Using a CRL ... Did you turn revocation on in IE? ... Are you sure the CRL is installed locally? ... Are you sure the web server cert is revoked and on ... >> certificate for an internal website. ... (microsoft.public.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint