Skinnee
asked on
Client Certificates and SSL
I am experimenting with setting up an SSL server for a future project. The setup I have now is a server (running IIS on win2k), a client (winXP Pro), and a certifying authority (win server 2k3). The server is set up to require a certificate from the client. Both the client and the server have gotten certificates from the CA. When I try to connect to the server from the client, a dialog box appears on the client asking me to select a certificate. The list box it gives me, though, is empty. If I look at the certificates from the Internet options, though, the personal certificate from my CA is listed.
Is there something I am not doing, or does anyone have any ideas about this? Both the client and the server have the CA listed under their trusted sites, so the certificates should be verifiable. Any help would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I figured it out, on the SSL server I was installing the CA certificate to the registry, not the local machine. Therefore, when I looked at it logged in on the user account I installed the cert on, it said it was trusted. However, when I accessed the site from the client machine, the ASPNET user was what was looking at all the trusted CA's. Since it can't see the registry for the other user account I was on, it didn't know my CA was a trusted CA. So all in all, it was the server not trusting the CA.
Dave- since your post let me know I was heading in the right direction and also gave me an insight about what the log on process was for the SSL which is what allowed me to track down what the problem was, I am giving you the points. Thanks!
Brian
ASKER
I have the CA server listed as one of the Trusted Root Authorities. To do this I got the CA certificate from the CA server and installed it. Is there anything else I need to do in order for it to be trusted?
If I make it so that a user is able to connect with a password rather than having a certificate, everything works fine, which leads me to believe that the client can get the server certificate and authenticate it no problem, so this is where my confusion can come in. If the client can verify the cert coming in from the SSL server, why wouldn't it list its own certificate issued by that same CA?