I am building a web site (Windows 2008 R2, iis 7.5. not in active directory [DMZ]) and I would like to allow only a client with a specific certificate to browse my site. So I chose a 2-ways SSL. I created a server certifictae which works great.
Then I created a new certificate for the client (which is trusted by the client and by the server) and changed the SSL to Require a client certificate. it allowed me to browse the site with any client certificate.
So I went to IIS and configed the
as explained in:
but then I tried from a different machine with a different certificate and it still worked! it seems that NO MATTER which client certificate I use from a client machine, as long as it is trusted by the server, it is acceptable by the server,
even when I DONT use the certificate which was defined at the one-to-one mapping.
What am I missing here? if any certificate is acceptable- why does the one-to-one request the public key of the certificate?