Setup SSL Mutual Authentication

I am trying to setup SSL Mutual Authentication in IIS. When I try to access ny method of the web service on Server side, passing client certificate it throws Forbidden 403 error.
Please let me know how to setup it in IIS.
VibhugAsked:
Who is Participating?
 
ParanormasticCryptographic EngineerCommented:
The client cert was issued from a CA right?  The CA Trust Root should point to the root CA certificate, not the client cert.

The client cert needs to have the 'Client Authentication' listed under Enhanced Key Usage (EKU) - verify this on the Details tab of the client cert.

Make sure the cert is listed in certmgr.msc under Personal - Certificates.  When you open it on the client box make sure on general tab there is a message at the bottom saying you have the private key.  If not, then go on Details tab and copy the serial number, paste serial number into notepad and remove spaces and copy again, open cmd - certutil -user -repairstore My %pasteSerialNumber%
0
 
VibhugAuthor Commented:
Also I have added client certificate in CA trust root still it doesn't show the certificate when I directly access the web service. It shows the dialog box but asking to select certificate but doesn't show any certificate in the list.
0
 
yasserkCommented:
The client cert was issues from a CA.

The client cert is only for Server Authentication purpose marked. I am not able to add the purpose for client certification.

Client certificate is listed in certmgr.msc under Personal - Certificates. Where should I check it for private key. from certmgr.msc itself ?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
VibhugAuthor Commented:
Private key is visible now. Also the problem is same.
Should I also download GEO Trust Root CA as root Certificate ?
0
 
VibhugAuthor Commented:
Hello Paranormastic,

Everything is same as you asked for. Still I have the same problem. Just to make sure how should I get
root CA certificate.I feel problem might be there. I went on the site of the issuer of the client certificate and downloaded Root Certificate and added in CA trust root. Please let me know if I am wrong on this.
0
 
ParanormasticCryptographic EngineerCommented:
Server Authentication isn't going to do it.  You need to get a certificate based off of the User template (or a template duplicated from User).
0
 
ParanormasticCryptographic EngineerCommented:
Last post was assuming it was issued from your own CA.  If it was issued from GeoTrust then you should talk to them about getting your money back and getting a user certificate with the Client Authentication EKU - if they have one they should be able to recommend a product for you.  The server and client would need to trust the root certificate of whatever CA - if it is GeoTrust there is a very good chance it is already there they have been around for a long time and have extremely good product integration.
0
 
yasserkCommented:
Can you please describe in set of steps exactly how we should be configuring the Mutual SSL authentication on IIS 6 for ASP.NET C# Web Services. I would appreciate if you can exactly layout the steps on which type of certificate is required on server and client, how it will be configured on either side and what is required in the code to actually make it work.
0
 
yasserkCommented:
On the server itself where I have hosted web service, when I try to access the web service from the browser it shows the client certificate in the list. When I select the certificate and click OK it opens the web service while if I don't select the certificate and click OK it doesn't take me to the web service page and shows the error "The page requires client certificate" on the page.

When I try to access the URL of the server to access web service from my local machine or any other machine it doesn't show client certificate in the list of dialog box.

Please suggest how should I follow ahead.
0
 
yasserkCommented:
We are able to authenticate with valid certificates issued by valid CA but the same approach is not working for test certificates. Is there other way to for authentication with test certificates ?
0
 
yasserkCommented:
We are able to use Valid certificates signed by trusted CA as Client Certificate successfully but we are not able to use self signed certificate as client certificate.

We have stored self signed certificate in local machine account as well as same certificate in Trusted Root store. Now when we go to give IIS permission to this certificate it gives the error "Private key is not accessible". Ofcourse the sefl signed certificate we are using doesn't have private key. Is there any other way to give permission to self signed certificate to be used as client certificate. Please suggest.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.