RE: How do I enable mutual SSL in IIS7 with a self-signed certificate?
As mentioned before, AFACIT there is no need for a PKI, though it might make things easier to setup. Just to be clear - SSL has nothing to do with IIS. IIS delegates all of this to another subsystem in Windows. Since what you are trying to do works with other technologies on Windows, it should work with IIS as well. Cheers Ken -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Tuesday, 6 October 2009 1:51 PM To: NT System Admin Issues Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed certificate? Thank you all for the replies. Brian you said the magic words I need PKI infrastructure. I was trying to do this with the self sign option in IIS 7. As far as I can tell un-doable. I accomplished my goal by installing certificate services. --Tigran On Thu, Sep 17, 2009 at 10:34 PM, Brian Desmond br...@briandesmond.com wrote: I'm not sure I understand what you're trying to accomplish here. You talk about this like there's one cert for clients to auth with. This is generally a solution where every single user has their own cert and they're usually stored on something like a smartcard. There's no need to buy them from a public CA, but, you generally need PKI infrastructure in place to accomplish this. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:50 PM To: NT System Admin Issues Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed certificate? So assuming selfssl does generate client auth EKU is there a way I can generate a cert that has client auth EKU or do I have to buy a cert from CA? Thanks --Tigran On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond br...@briandesmond.com wrote: You need a cert with the Client auth EKU. You're not getting that with a cert generated with selfssl l'm guessing. You generally use this feature with smartcards or other 2 factor devices. The logon mapping happens based on the UPN in the cert and an AD lookup. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:26 PM To: NT System Admin Issues Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? I've created a self-signed certificate in IIS7. Then I exported this certificate to a .pfx and then installed it on the client machine's IE browser. Then I set Require Client Certificate on the server's IIS configuration. When I try to visit the site with IE, a dialog box comes up for me to choose a certificate, however, there are no certs in that dialog box. When I click OK without choosing any certs, I get a 403 forbidden error. How can I make this work? Appreciate the help in advance. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: How do I enable mutual SSL in IIS7 with a self-signed certificate?
Thank you all for the replies. Brian you said the magic words I need PKI infrastructure. I was trying to do this with the self sign option in IIS 7. As far as I can tell un-doable. I accomplished my goal by installing certificate services. --Tigran On Thu, Sep 17, 2009 at 10:34 PM, Brian Desmond br...@briandesmond.com wrote: I'm not sure I understand what you're trying to accomplish here. You talk about this like there's one cert for clients to auth with. This is generally a solution where every single user has their own cert and they're usually stored on something like a smartcard. There's no need to buy them from a public CA, but, you generally need PKI infrastructure in place to accomplish this. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:50 PM To: NT System Admin Issues Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed certificate? So assuming selfssl does generate client auth EKU is there a way I can generate a cert that has client auth EKU or do I have to buy a cert from CA? Thanks --Tigran On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond br...@briandesmond.com wrote: You need a cert with the Client auth EKU. You're not getting that with a cert generated with selfssl l'm guessing. You generally use this feature with smartcards or other 2 factor devices. The logon mapping happens based on the UPN in the cert and an AD lookup. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:26 PM To: NT System Admin Issues Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? I've created a self-signed certificate in IIS7. Then I exported this certificate to a .pfx and then installed it on the client machine's IE browser. Then I set Require Client Certificate on the server's IIS configuration. When I try to visit the site with IE, a dialog box comes up for me to choose a certificate, however, there are no certs in that dialog box. When I click OK without choosing any certs, I get a 403 forbidden error. How can I make this work? Appreciate the help in advance. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: How do I enable mutual SSL in IIS7 with a self-signed certificate?
You need a cert with the Client auth EKU. You're not getting that with a cert generated with selfssl l'm guessing. You generally use this feature with smartcards or other 2 factor devices. The logon mapping happens based on the UPN in the cert and an AD lookup. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:26 PM To: NT System Admin Issues Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? I've created a self-signed certificate in IIS7. Then I exported this certificate to a .pfx and then installed it on the client machine's IE browser. Then I set Require Client Certificate on the server's IIS configuration. When I try to visit the site with IE, a dialog box comes up for me to choose a certificate, however, there are no certs in that dialog box. When I click OK without choosing any certs, I get a 403 forbidden error. How can I make this work? Appreciate the help in advance. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: How do I enable mutual SSL in IIS7 with a self-signed certificate?
So assuming selfssl does generate client auth EKU is there a way I can generate a cert that has client auth EKU or do I have to buy a cert from CA? Thanks --Tigran On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond br...@briandesmond.com wrote: You need a cert with the Client auth EKU. You're not getting that with a cert generated with selfssl l'm guessing. You generally use this feature with smartcards or other 2 factor devices. The logon mapping happens based on the UPN in the cert and an AD lookup. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:26 PM To: NT System Admin Issues Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? I've created a self-signed certificate in IIS7. Then I exported this certificate to a .pfx and then installed it on the client machine's IE browser. Then I set Require Client Certificate on the server's IIS configuration. When I try to visit the site with IE, a dialog box comes up for me to choose a certificate, however, there are no certs in that dialog box. When I click OK without choosing any certs, I get a 403 forbidden error. How can I make this work? Appreciate the help in advance. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: How do I enable mutual SSL in IIS7 with a self-signed certificate?
I used the accepted answer on this page to make some certs including changing the -eku to 1.3.6.1.5.5.7.3.2 to generate a client cert but still did not work. http://stackoverflow.com/questions/496658/using-makecert-for-development-ssl At this point I'm thinking mutual ssl is not possible in IIS7 with self signed cert. Thanks --Tigran On Thu, Sep 17, 2009 at 1:50 PM, Tigran K tigr...@gmail.com wrote: So assuming selfssl does generate client auth EKU is there a way I can generate a cert that has client auth EKU or do I have to buy a cert from CA? Thanks --Tigran On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond br...@briandesmond.com wrote: You need a cert with the Client auth EKU. You're not getting that with a cert generated with selfssl l'm guessing. You generally use this feature with smartcards or other 2 factor devices. The logon mapping happens based on the UPN in the cert and an AD lookup. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:26 PM To: NT System Admin Issues Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? I've created a self-signed certificate in IIS7. Then I exported this certificate to a .pfx and then installed it on the client machine's IE browser. Then I set Require Client Certificate on the server's IIS configuration. When I try to visit the site with IE, a dialog box comes up for me to choose a certificate, however, there are no certs in that dialog box. When I click OK without choosing any certs, I get a 403 forbidden error. How can I make this work? Appreciate the help in advance. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: How do I enable mutual SSL in IIS7 with a self-signed certificate?
HI, At this point I'm thinking mutual ssl is not possible in IIS7 with self signed cert. Mutual auth with self-signed certs should work fine with IIS7. The problem has nothing to do with IIS7, and just with your certificates I think. All the SSL stuff is done by the Windows Schannel security package, and not by IIS7. For client authentication: a) IIS7 will present a list of CAs that it trusts to the client b) the client must select a Client Authentication certificate issued by one of those trusted CAs So, you'll need to create a certificate that is permitted issuance and client authentication OIDs. This has to be installed on the IIS7 box in one of the CA stores. The issuance OID means that it can be a CA, so IIS7 will present it as a trusted CA. This cert also needs to be installed in the user's certificate store. Because it has the client authentication OID, the client can use it to authN to IIS7 You'll need to repeat the process in reverse for the server-authentication part (but I think you have that part sorted). Lastly, as the cert isn't integrated with Active Directory, you'll need to map the cert to a user identity on the IIS7 box, so that IIS7 knows what Windows identity the certificate represents and can construct the necessary security token. Cheers Ken -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Friday, 18 September 2009 11:17 AM To: NT System Admin Issues Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed certificate? I used the accepted answer on this page to make some certs including changing the -eku to 1.3.6.1.5.5.7.3.2 to generate a client cert but still did not work. http://stackoverflow.com/questions/496658/using-makecert-for-development-ssl At this point I'm thinking mutual ssl is not possible in IIS7 with self signed cert. Thanks --Tigran On Thu, Sep 17, 2009 at 1:50 PM, Tigran K tigr...@gmail.com wrote: So assuming selfssl does generate client auth EKU is there a way I can generate a cert that has client auth EKU or do I have to buy a cert from CA? Thanks --Tigran On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond br...@briandesmond.com wrote: You need a cert with the Client auth EKU. You're not getting that with a cert generated with selfssl l'm guessing. You generally use this feature with smartcards or other 2 factor devices. The logon mapping happens based on the UPN in the cert and an AD lookup. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:26 PM To: NT System Admin Issues Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? I've created a self-signed certificate in IIS7. Then I exported this certificate to a .pfx and then installed it on the client machine's IE browser. Then I set Require Client Certificate on the server's IIS configuration. When I try to visit the site with IE, a dialog box comes up for me to choose a certificate, however, there are no certs in that dialog box. When I click OK without choosing any certs, I get a 403 forbidden error. How can I make this work? Appreciate the help in advance. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: How do I enable mutual SSL in IIS7 with a self-signed certificate?
I'm not sure I understand what you're trying to accomplish here. You talk about this like there's one cert for clients to auth with. This is generally a solution where every single user has their own cert and they're usually stored on something like a smartcard. There's no need to buy them from a public CA, but, you generally need PKI infrastructure in place to accomplish this. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:50 PM To: NT System Admin Issues Subject: Re: How do I enable mutual SSL in IIS7 with a self-signed certificate? So assuming selfssl does generate client auth EKU is there a way I can generate a cert that has client auth EKU or do I have to buy a cert from CA? Thanks --Tigran On Thu, Sep 17, 2009 at 1:43 PM, Brian Desmond br...@briandesmond.com wrote: You need a cert with the Client auth EKU. You're not getting that with a cert generated with selfssl l'm guessing. You generally use this feature with smartcards or other 2 factor devices. The logon mapping happens based on the UPN in the cert and an AD lookup. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Tigran K [mailto:tigr...@gmail.com] Sent: Thursday, September 17, 2009 3:26 PM To: NT System Admin Issues Subject: How do I enable mutual SSL in IIS7 with a self-signed certificate? I've created a self-signed certificate in IIS7. Then I exported this certificate to a .pfx and then installed it on the client machine's IE browser. Then I set Require Client Certificate on the server's IIS configuration. When I try to visit the site with IE, a dialog box comes up for me to choose a certificate, however, there are no certs in that dialog box. When I click OK without choosing any certs, I get a 403 forbidden error. How can I make this work? Appreciate the help in advance. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
