Join 3,551 readers in helping fund MetaFilter (Hide)


SSL Client Certificates
May 15, 2009 8:45 AM   Subscribe

Please help a noob with client-side SSL certificates.

What is the process for generating SSL client certs? What kind of information is needed? Who generates them? I have a web server SSL cert installed (IIS), when users try to connect they are prompted to choose their client certificate from a list. (This is the behavior I want). The web server SSL certificate was issued by Entrust.net
posted by banshee to Computers & Internet (6 answers total) 3 users marked this as a favorite
 
I'm not sure I follow. You already have an SSL-enabled site, why are the users prompted to choose a certificate when they connect?

Entrust is a valid certificate authority (CA) and if the clients are using a modern operating system they should already have the root certificate in their local keystores.

Generating certificate signing requests (CSRs) is the same process regardless of where the certificate ends-up.

Do you want to issue your own certificates and ensure the root CA is in your client-side keystores (this way you don't have to pay for certificates). This is certainly possible, but really only a valid option if you can manage the keystores on the local workstations. If you are not able to push the CA root to establish the trusted relationship then clients will get certificate warnings while using the secured services.

I probably didn't explain it very well. Could you elaborate on what you're looking for?
posted by purephase at 9:51 AM on May 15, 2009


The user can generate them on their own once you've setup the IIS cert piece. They fill out the form and generate a cert request. You either manually or automatically approve this cert. Once it's approved, they download it and install it locally.

Start with these two articles, the second especially should clear up some of your confusion.

http://support.microsoft.com/kb/907274
http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html
posted by anti social order at 9:57 AM on May 15, 2009


To add to what pure said, I'm going off the assumption you want two-factor authentication. Please correct us if that's not the case.
posted by anti social order at 9:58 AM on May 15, 2009


The server's SSL cert chain and the client's SSL cert chain are totally independent. You can choose whatever CA you want (a private CA you operate, or some "real" CA like Entrust) for each side.

The client generates a keypair and a certificate signing request (CSR). A CSR is just a bundled-up copy of all the information needed to generate a certificate. You send the CSR to whoever operates the CA (maybe that's you, maybe that's some third party) and they generate a signed certificate from the CSR and their secret keys. Then they send that cert back to the user, who gives it to their web browser.

The web server needs to be configured to inform the client what CAs' certificates it will accept— you've already done this, apparently.
posted by hattifattener at 10:37 AM on May 15, 2009


two-factor authentication

Yes, that is what I want.
posted by banshee at 10:53 AM on May 15, 2009


Ok then that second article should get you on your way. It's about the same procedure used last time I had to do this (2004ish?). I would guess you don't have to self-sign anything since you have a real cert, but try it out and see. FWIW, we ended up scrapping the cert deal as it was too much admin overhead.

here's the link to the 2k3 flavor of the docs. in 2k8 i think it's an extra download.
http://technet.microsoft.com/en-us/library/bb727098.aspx
posted by anti social order at 11:38 AM on May 15, 2009


« Older iphoneforsalefilter: My buddy ...   |  I came across an interesting g... Newer »
This thread is closed to new comments.