• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 472
  • Last Modified:

SSL vs. SSL Client authentication configuration

In SSL client auth, the client sends a cert to the server, the server checks its ACL and to see if it has a matching cert, if so it allows the client to continue.

In SSL, the handshake is more complex, but basically ends up with a Server ACL of certs with private keys, and the client sends a cert that hopefully matches one in the ACL

My question is, is there anything you have to do different to set up a SSL client auth, that you do NOT have to do when setting up the SSL

To put it another way, is the 'set up' the same for both SSL and SSL client auth

Thanks
0
Anthony Lucia
Asked:
Anthony Lucia
  • 2
1 Solution
 
becraigCommented:
Setting up SSL for your website / endpoint is a bit more simple in that you simply request the certificate and bind it to the relevant website.

e.g.
Here is a link to the iis site explaining how to request accept and bind an SSL cert to a website:
http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

SSL client auth is slightly more complicated, in that you have to determine the model:
If it is a user to server, you could have the private key reside on the server and distribute the public key to users.

If it is a server to server call it could be a situation where the server calling into your application has it's private key and gave you a copy of the public so you can validate it is the calling server:

There are many client ssl scenarios (here are a few below)

http://technet.microsoft.com/en-us/library/cc732996%28v=ws.10%29.aspx

The link above will outline three scenarios.

Map Client Certificates One-to-One (IIS 7)
Map Client Certificates Many-to-One (IIS 7)
Map Client Certificates by Using Active Directory Mapping (IIS 7)


Server SSL for https is a straightforward thing the certificate pair is present on the Web server so when the traffic is encrypted between user and server since the server is the only one with the Private key to complete the handshake.



Client SSL can be any one of a number of scenarios as outlined above.
0
 
Anthony LuciaAuthor Commented:
If I am assuming a client to server situation (lets just say a single coient at thist ime),

is the configuration for SSL client auth identical to SSL ?

Many Thanks
0
 
becraigCommented:
No the configuration would not be.

You would have to configure IIS to expect the client certificate and indicate what cert to accept.


This tells you how to set up client certs in IIS 7

http://technet.microsoft.com/en-us/library/cc753983%28v=ws.10%29.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now