I'm not sure I understand what you're trying to accomplish here. You talk about this like there's one cert for clients to auth with. This is generally a solution where every single user has their own cert and they're usually stored on something like a smartcard.
There's no need to buy them from a public CA, but, you generally need PKI infrastructure in place to accomplish this. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -----Original Message----- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:50 PM To: NT System Admin Issues Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed certificate? So assuming selfssl does generate client auth EKU is there a way I can generate a cert that has client auth EKU or do I have to buy a cert from CA? Thanks --Tigran On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond <br...@briandesmond.com> wrote: > You need a cert with the Client auth EKU. You're not getting that with a cert > generated with selfssl l'm guessing. You generally use this feature with > smartcards or other 2 factor devices. The logon mapping happens based on the > UPN in the cert and an AD lookup. > > Thanks, > Brian Desmond > br...@briandesmond.com > > c - 312.731.3132 > > > -----Original Message----- > From: Tigran K [mailto:tigr...@gmail.com] > Sent: Thursday, September 17, 2009 3:26 PM > To: NT System Admin Issues > Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? > > I've created a self-signed certificate in IIS7. Then I exported this > certificate to a .pfx and then installed it on the client machine's IE > browser. Then I set "Require Client Certificate" on the server's IIS > configuration. When I try to visit the site with IE, a dialog box comes up > for me to choose a certificate, however, there are no certs in that dialog > box. When I click "OK" without choosing any certs, I get a 403 forbidden > error. How can I make this work? > > Appreciate the help in advance. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~