• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 281
  • Last Modified:

SSL Client Certs

hI,

If I wish use SSLthat requires both server and client certs (instead of the norm being just server side), how do i create the client certs? Just by a CA or by using the web server?

and can the client certs be either computer or user certs?

Thanks
0
58872
Asked:
58872
  • 2
2 Solutions
 
Dave HoweCommented:
Usually, users do this themselves, using a web interface to (say) the MS CA - you then choose to approve or deny such requests, and the users can then pick up their approved certs by the same method.

In cases where users are not able to access your LAN to request certs, then unless you plan to expose the CA to the internet, you need to manually issue the certs and ship them as pfx files to the recipients.

The only two real requirements are
a) that the SSL server requiring the cert have the CA cert you use for issuing available to verify (and set to require such verification) and
b) that the same server can access the certificate revocation list so it can check against disabled certs - or the second an employee leaves, you have no way to revoke a cert.

outside of those two, it doesn't actually matter how you obtain and deliver the clientside certs, other than the fact that the key needs to be delivered securely (pfx is inherently locked with a password, so if you are using those, make each password unique and delivered out-of-band, such as via a telephone)
0
 
vinsvinCommented:
HOW TO CONFIGURE CLIENT CERTIFICATES
Here I will walk you through the steps for configuring client certificates in a Windows 2003 environment (although there is not much of a difference in Windows 2000).

Environment

Windows 2003 (Web server) IIS6.0
Windows 2000/XP/2003 (Client)
Windows 2003 (Microsoft Certificate server)
Walkthrough

To enable SSL transaction between the server and the client, you need to have a server certificate installed on IIS website. Websites can get the server certificate from a trusted root Certificate Authority (CA). We will be focusing on the steps for acquiring client certificates and setting them in IIS for user authentication.
Here I will show the screenshot of the steps that one needs to follow with brief explanation of the steps.
Client Workstation: WIN2kIIS-VPC
CA server: WIN2K3DC
IIS Web Server: WIN2K3OWA
DC: WIN2K3DC
Domain: WIN2K3DC.local

Requesting a client certificate from a Trusted root Certificate Authority (CA):

Access the CA Website from your client machine as http://<CA Server Name>/certsrv

There are two ways of obtaining client certificate.

Click on the link: Request a Certificate.

Click on "Select a certificate type: User certificate".

You can also obtain the certificate by clicking on "advanced certificate request" to add more specific details about the client certificate.

Click on More Options >>

Go ahead and hit Submit >

Click on "Yes"

Go ahead and click on the link to install the certificate. You might get the certificate directly as above or through email etc when in case of a 3rd party after verification.

Click on "Yes"

The certificate will get installed on the Current User -> Personal Certificate store


Windows 2000 Active Directory Service Mapping
In IIS, you can also map a certificate to a Windows user account by using the Microsoft Windows 2000 Active Directory directory service feature. This option is available only at the Master properties level and if the server is a member of a Windows 2000 domain.

To enable the Windows directory service mapper:
Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
In the Internet Information Services pane, right-click * server name where server name is the name of the server, and then click Properties.
Click the Internet Information Services tab.
Under Master Properties, click WWW Service, and then click Edit.
In the WWW Service Master Properties for * server name Properties dialog box, click the Directory Security tab.
Under Secure communications, click to select the Enable the Windows directory service mapper check box, and then click OK.
For more information about Windows 2000 Active Directory Service mapping, click Start, click Help, click the Index tab, and then type mapping certificates.


One-to-One Mapping
Export a Certificate
In IIS one-to-one mapping, some certificates must first be exported. To export a certificate for use in IIS one-to-one mapping:
Start Internet Explorer, and then click Internet Options on the Tools menu.
Click the Content tab.
Under Certificates, click Certificates, and then click the Personal tab.
Click the certificate that you want to export, and then click Export to start the Certificate Export Wizard.
Click Next.
Click No, do not export the private key, and then click Next.
Click Base-64 encoded X.509 (.CER), and then click Next.
In the File name box, click Browse, specify a name and location where you want to save the file, and then click Save.
Click Next, and then click Finish.
Click OK to the "The export was successful" message, click Close, and then click OK. The certificate is ready for one-to-one mapping in IIS. This procedure needs to be completed once for each certificate.
Map a Specific Client Certificate to a User Account
To map a specific client certificate to a user account:
Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties.
Click the Directory Security tab, and then under Secure communications, click Edit.
Click to select the Enable client certificate mapping check box, and then click Edit.
Click the 1-to-1 tab, and then click Add.
In the Open box, locate the certificate file, and then click Open.

NOTE: If you cannot locate the certificate file, you may need to export the file.
In the Map to Account dialog box, use the following steps:
In the Map Name box, type a map name.
In the Account box, type, or click Browse to browse to the Windows user account that you want to map. Type the password of the user account in the Password box, and then click OK.
Re-type the password in the Confirm Password dialog box, and then click OK.
Repeat steps 5-7 to map other certificates or to map this certificate to other user accounts.
When you are finished creating the mappings that you want, click OK three times, and then quit Internet Services Manager, or close the IIS snap-in.

Many-to-One Mapping
Map Client Certificates by Using Wildcard Rules
To add a client certificate mapping by using wildcard rules:
Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties.
Click the Directory Security tab, and then under Secure communications, click Edit.
Click to select the Enable client certificate mapping check box, and then click Edit.
Click the Many-to-1 tab, and then click Add.
In the General dialog box, type a name for the rule, and then Next.
In the Rules dialog box, click New.
In the Edit Rule Element dialog box that appears, configure the settings that you want for the rule, click OK, and then click Next.

NOTE: You should configure your matching rules to be as specific as possible. Use wildcard rules that match information from several different fields and sub fields.
In the Mapping dialog box, do one of the following:
Click Accept this certificate for Logon Authentication, and then in the Account box, type, or click Browse to browse to the Windows user account that you want to map. Type the password of the user account in the Password box.

-or-
Click Refuse Access.
Click Finish.
Repeat steps 5-10 to create other mapping rules.
To establish the priority of the rules that you defined, click a rule in the list, and then click Move Up or Move Down to move the rule higher or lower on the list. Rules that are higher on the list have a higher priority.
Click OK three times, and then quit Internet Services Manager, or close the IIS snap-in.
Edit an Existing Wildcard Rule
To edit an existing wildcard rule:
Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties.
Click the Directory Security tab, and then click Edit under Secure communications.
Click to select the Enable client certificate mapping check box, and then click Edit.
Click the Many-to-1 tab, click the rule that you want to edit, and then click Edit Rule.
In the Edit Wildcard Mapping Rule dialog box, make the changes that you want, and then click OK.
Click OK four times, and then quit Internet Services Manager, or close the IIS snap-in.


Troubleshooting
If you use IIS to map client certificates to user accounts, you cannot also use the Windows Directory Service to configure client certificate mappings. You can only use one method or the other.
0
 
Dave HoweCommented:
*awed by the length of vinsvin's reply* :)
0
 
58872Author Commented:
Thanks
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now