Solved

SSL vs. SSL Client authentication configuration

Posted on 2014-03-27
3
434 Views
Last Modified: 2014-03-28
In SSL client auth, the client sends a cert to the server, the server checks its ACL and to see if it has a matching cert, if so it allows the client to continue.

In SSL, the handshake is more complex, but basically ends up with a Server ACL of certs with private keys, and the client sends a cert that hopefully matches one in the ACL

My question is, is there anything you have to do different to set up a SSL client auth, that you do NOT have to do when setting up the SSL

To put it another way, is the 'set up' the same for both SSL and SSL client auth

Thanks
0
Comment
Question by:Anthony Lucia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39960363
Setting up SSL for your website / endpoint is a bit more simple in that you simply request the certificate and bind it to the relevant website.

e.g.
Here is a link to the iis site explaining how to request accept and bind an SSL cert to a website:
http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

SSL client auth is slightly more complicated, in that you have to determine the model:
If it is a user to server, you could have the private key reside on the server and distribute the public key to users.

If it is a server to server call it could be a situation where the server calling into your application has it's private key and gave you a copy of the public so you can validate it is the calling server:

There are many client ssl scenarios (here are a few below)

http://technet.microsoft.com/en-us/library/cc732996%28v=ws.10%29.aspx

The link above will outline three scenarios.

Map Client Certificates One-to-One (IIS 7)
Map Client Certificates Many-to-One (IIS 7)
Map Client Certificates by Using Active Directory Mapping (IIS 7)


Server SSL for https is a straightforward thing the certificate pair is present on the Web server so when the traffic is encrypted between user and server since the server is the only one with the Private key to complete the handshake.



Client SSL can be any one of a number of scenarios as outlined above.
0
 

Author Comment

by:Anthony Lucia
ID: 39960403
If I am assuming a client to server situation (lets just say a single coient at thist ime),

is the configuration for SSL client auth identical to SSL ?

Many Thanks
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39960416
No the configuration would not be.

You would have to configure IIS to expect the client certificate and indicate what cert to accept.


This tells you how to set up client certs in IIS 7

http://technet.microsoft.com/en-us/library/cc753983%28v=ws.10%29.aspx
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question