[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 225
  • Last Modified:

How to set IIS to filter for email certificate onlly

When I set IIS to accept certificates, it prompts for and will accept an Identify cert or an email cert.  How can I set it to only prompt for and accept Email certificates?
0
mbart
Asked:
mbart
1 Solution
 
ParanormasticCryptographic EngineerCommented:
Basically when doing client authentication the server is looking for the key usage for that specific function - if there happens to be additional key usages then so be it.

Depending on the specifics, you might also look into Enable client certificate mapping - depending on how these two different types of certificates are issued, then this could be a possibility.  For example, if retail people get ID certs, whereas HQ people get email certs - you could use this.  If this doesn't work for you, then read on.

Another way would be to separate the CA's that issue each type and only trust one of them in the Client Trust List (CTL).  This is a sticky one as you can only add self-signed certificates to this - i.e. root CA certificates.  You cannot add just a subordinate CA to this list.  In otherwords, this would require setting up another root CA (and issuing subordinate, presumably) in order so you could issue certs of one type from PKI#1 and the other type from PKI#2, then pointing the CTL to only one of them.  Personally I wish they would change this to include subordinates to cut down on the root requirement and also make it more granular so you aren't trusting more than you have to, but that's the way it is.

If you happen to get each type from different CA's already (e.g. one is internal and the other is commercial) then you could just define the appropriate root in the CTL without the extra mess.

Beyond that would require server side scripting to open up the cert, check specific things, and decide from there - I don't know of any scripts that do this, but maybe there's something out there.


Here is a nice link for a lot of client side authentication stuff - a bit old, but still useful:
http://support.microsoft.com/kb/315588
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now