As mentioned before, AFACIT there is no need for a PKI, though it might make things easier to setup.
Just to be clear - SSL has nothing to do with IIS. IIS delegates all of this to another subsystem in Windows. Since what you are trying to do works with other technologies on Windows, it should work with IIS as well. Cheers Ken -----Original Message----- From: Tigran K [mailto:tigr...@gmail.com] Sent: Tuesday, 6 October 2009 1:51 PM To: NT System Admin Issues Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed certificate? Thank you all for the replies. Brian you said the magic words I need PKI infrastructure. I was trying to do this with the self sign option in IIS 7. As far as I can tell un-doable. I accomplished my goal by installing certificate services. --Tigran On Thu, Sep 17, 2009 at 10:34 PM, Brian Desmond <br...@briandesmond.com> wrote: > I'm not sure I understand what you're trying to accomplish here. You talk > about this like there's one cert for clients to auth with. This is generally > a solution where every single user has their own cert and they're usually > stored on something like a smartcard. > > There's no need to buy them from a public CA, but, you generally need PKI > infrastructure in place to accomplish this. > > Thanks, > Brian Desmond > br...@briandesmond.com > > c - 312.731.3132 > > > -----Original Message----- > From: Tigran K [mailto:tigr...@gmail.com] > Sent: Thursday, September 17, 2009 3:50 PM > To: NT System Admin Issues > Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed > certificate? > > So assuming selfssl does generate client auth EKU is there a way I can > generate a cert that has client auth EKU or do I have to buy a cert from CA? > > Thanks > --Tigran > > On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond <br...@briandesmond.com> wrote: >> You need a cert with the Client auth EKU. You're not getting that with a >> cert generated with selfssl l'm guessing. You generally use this feature >> with smartcards or other 2 factor devices. The logon mapping happens based >> on the UPN in the cert and an AD lookup. >> >> Thanks, >> Brian Desmond >> br...@briandesmond.com >> >> c - 312.731.3132 >> >> >> -----Original Message----- >> From: Tigran K [mailto:tigr...@gmail.com] >> Sent: Thursday, September 17, 2009 3:26 PM >> To: NT System Admin Issues >> Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? >> >> I've created a self-signed certificate in IIS7. Then I exported this >> certificate to a .pfx and then installed it on the client machine's IE >> browser. Then I set "Require Client Certificate" on the server's IIS >> configuration. When I try to visit the site with IE, a dialog box comes up >> for me to choose a certificate, however, there are no certs in that dialog >> box. When I click "OK" without choosing any certs, I get a 403 forbidden >> error. How can I make this work? >> >> Appreciate the help in advance. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
