Solved

SSL vs. SSL Client authentication configuration

Posted on 2014-03-27
3
423 Views
Last Modified: 2014-03-28
In SSL client auth, the client sends a cert to the server, the server checks its ACL and to see if it has a matching cert, if so it allows the client to continue.

In SSL, the handshake is more complex, but basically ends up with a Server ACL of certs with private keys, and the client sends a cert that hopefully matches one in the ACL

My question is, is there anything you have to do different to set up a SSL client auth, that you do NOT have to do when setting up the SSL

To put it another way, is the 'set up' the same for both SSL and SSL client auth

Thanks
0
Comment
Question by:Anthony Lucia
  • 2
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39960363
Setting up SSL for your website / endpoint is a bit more simple in that you simply request the certificate and bind it to the relevant website.

e.g.
Here is a link to the iis site explaining how to request accept and bind an SSL cert to a website:
http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

SSL client auth is slightly more complicated, in that you have to determine the model:
If it is a user to server, you could have the private key reside on the server and distribute the public key to users.

If it is a server to server call it could be a situation where the server calling into your application has it's private key and gave you a copy of the public so you can validate it is the calling server:

There are many client ssl scenarios (here are a few below)

http://technet.microsoft.com/en-us/library/cc732996%28v=ws.10%29.aspx

The link above will outline three scenarios.

Map Client Certificates One-to-One (IIS 7)
Map Client Certificates Many-to-One (IIS 7)
Map Client Certificates by Using Active Directory Mapping (IIS 7)


Server SSL for https is a straightforward thing the certificate pair is present on the Web server so when the traffic is encrypted between user and server since the server is the only one with the Private key to complete the handshake.



Client SSL can be any one of a number of scenarios as outlined above.
0
 

Author Comment

by:Anthony Lucia
ID: 39960403
If I am assuming a client to server situation (lets just say a single coient at thist ime),

is the configuration for SSL client auth identical to SSL ?

Many Thanks
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39960416
No the configuration would not be.

You would have to configure IIS to expect the client certificate and indicate what cert to accept.


This tells you how to set up client certs in IIS 7

http://technet.microsoft.com/en-us/library/cc753983%28v=ws.10%29.aspx
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now