Client Certificates and SSL

Posted on 2004-08-18
Last Modified: 2013-12-04

I am experimenting with setting up an SSL server for a future project.  The setup I have now is a server (running IIS on win2k), a client (winXP Pro), and a certifying authority (win server 2k3).  The server is set up to require a certificate from the client.  Both the client and the server have gotten certificates from the CA. When I try to connect to the server from the client, a dialog box appears on the client asking me to select a certificate.  The list box it gives me, though, is empty. If I look at the certificates from the Internet options, though, the personal certificate from my CA is listed.  

Is there something I am not doing, or does anyone have any ideas about this?  Both the client and the server have the CA listed under their trusted sites, so the certificates should be verifiable.  Any help would be appreciated.
Question by:Skinnee
  • 2
LVL 34

Accepted Solution

Dave_Dietz earned 500 total points
ID: 11837598
Look in Tools->Internet Options->Content-Certificates->Trusted Root Certification Authorities in your browser on the client.  Does your CA show up here?  If not you will need to add it.

Open up an MMC on the Server - add the Certificates snap-in for the Local Computer account
Look at the Trusted Root Certification Authorities here.  Does your Root CA show up here?  Once again, if not you will need to add it.

If you need help adding wither let me know and I can give more guidance.

Bottom line - when using Client serts the IIS server sends a list of all the CAs it trusts to the browser.  The browser looks at its list of trusted CAs and form the resulting subset that they both trust it looks to see if it has any Personal certificates from a CA that BOTH trust.  If there are none it pops a blank list.  If there are several it pops a populated list.  If there is only one it presents it automatically (can be configured to pormpt).

Don't feel bad...I've run into this about 150 times.....  ;-)

Dave Dietz

Author Comment

ID: 11843666

I have the CA server listed as one of the Trusted Root Authorities.  To do this I got the CA certificate from the CA server and installed it.  Is there anything else I need to do in order for it to be trusted?

If I make it so that a user is able to connect with a password rather than having a certificate, everything works fine, which leads me to believe that the client can get the server certificate and authenticate it no problem, so this is where my confusion can come in.  If the client can verify the cert coming in from the SSL server, why wouldn't it list its own certificate issued by that same CA?

Author Comment

ID: 11845106

I figured it out, on the SSL server I was installing the CA certificate to the registry, not the local machine.  Therefore, when I looked at it logged in on the user account I installed the cert on, it said it was trusted.  However, when I accessed the site from the client machine, the ASPNET user was what was looking at all the trusted CA's.  Since it can't see the registry for the other user account I was on, it didn't know my CA was a trusted CA.  So all in all, it was the server not trusting the CA.

Dave- since your post let me know I was heading in the right direction and also gave me an insight about what the log on process was for the SSL which is what allowed me to track down what the problem was, I am giving you the points.  Thanks!


Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now