Thank you all for the replies. Brian you said the magic words I need PKI infrastructure. I was trying to do this with the self sign option in IIS 7. As far as I can tell un-doable. I accomplished my goal by installing certificate services.
--Tigran On Thu, Sep 17, 2009 at 10:34 PM, Brian Desmond <br...@briandesmond.com> wrote: > I'm not sure I understand what you're trying to accomplish here. You talk > about this like there's one cert for clients to auth with. This is generally > a solution where every single user has their own cert and they're usually > stored on something like a smartcard. > > There's no need to buy them from a public CA, but, you generally need PKI > infrastructure in place to accomplish this. > > Thanks, > Brian Desmond > br...@briandesmond.com > > c - 312.731.3132 > > > -----Original Message----- > From: Tigran K [mailto:tigr...@gmail.com] > Sent: Thursday, September 17, 2009 3:50 PM > To: NT System Admin Issues > Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed > certificate? > > So assuming selfssl does generate client auth EKU is there a way I can > generate a cert that has client auth EKU or do I have to buy a cert from CA? > > Thanks > --Tigran > > On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond <br...@briandesmond.com> wrote: >> You need a cert with the Client auth EKU. You're not getting that with a >> cert generated with selfssl l'm guessing. You generally use this feature >> with smartcards or other 2 factor devices. The logon mapping happens based >> on the UPN in the cert and an AD lookup. >> >> Thanks, >> Brian Desmond >> br...@briandesmond.com >> >> c - 312.731.3132 >> >> >> -----Original Message----- >> From: Tigran K [mailto:tigr...@gmail.com] >> Sent: Thursday, September 17, 2009 3:26 PM >> To: NT System Admin Issues >> Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? >> >> I've created a self-signed certificate in IIS7. Then I exported this >> certificate to a .pfx and then installed it on the client machine's IE >> browser. Then I set "Require Client Certificate" on the server's IIS >> configuration. When I try to visit the site with IE, a dialog box comes up >> for me to choose a certificate, however, there are no certs in that dialog >> box. When I click "OK" without choosing any certs, I get a 403 forbidden >> error. How can I make this work? >> >> Appreciate the help in advance. >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
