I used the accepted answer on this page to make some certs including changing the -eku to "1.3.6.1.5.5.7.3.2" to generate a client cert but still did not work. http://stackoverflow.com/questions/496658/using-makecert-for-development-ssl
At this point I'm thinking mutual ssl is not possible in IIS7 with self signed cert. Thanks --Tigran On Thu, Sep 17, 2009 at 1:50 PM, Tigran K <tigr...@gmail.com> wrote: > So assuming selfssl does generate client auth EKU is there a way I can > generate a cert that has client auth EKU or do I have to buy a cert > from CA? > > Thanks > --Tigran > > On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond <br...@briandesmond.com> wrote: >> You need a cert with the Client auth EKU. You're not getting that with a >> cert generated with selfssl l'm guessing. You generally use this feature >> with smartcards or other 2 factor devices. The logon mapping happens based >> on the UPN in the cert and an AD lookup. >> >> Thanks, >> Brian Desmond >> br...@briandesmond.com >> >> c - 312.731.3132 >> >> >> -----Original Message----- >> From: Tigran K [mailto:tigr...@gmail.com] >> Sent: Thursday, September 17, 2009 3:26 PM >> To: NT System Admin Issues >> Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? >> >> I've created a self-signed certificate in IIS7. Then I exported this >> certificate to a .pfx and then installed it on the client machine's IE >> browser. Then I set "Require Client Certificate" on the server's IIS >> configuration. When I try to visit the site with IE, a dialog box comes up >> for me to choose a certificate, however, there are no certs in that dialog >> box. When I click "OK" without choosing any certs, I get a 403 forbidden >> error. How can I make this work? >> >> Appreciate the help in advance. >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~