Solved

SSL vs. SSL Client authentication configuration

Posted on 2014-03-27
3
421 Views
Last Modified: 2014-03-28
In SSL client auth, the client sends a cert to the server, the server checks its ACL and to see if it has a matching cert, if so it allows the client to continue.

In SSL, the handshake is more complex, but basically ends up with a Server ACL of certs with private keys, and the client sends a cert that hopefully matches one in the ACL

My question is, is there anything you have to do different to set up a SSL client auth, that you do NOT have to do when setting up the SSL

To put it another way, is the 'set up' the same for both SSL and SSL client auth

Thanks
0
Comment
Question by:Anthony Lucia
  • 2
3 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 39960363
Setting up SSL for your website / endpoint is a bit more simple in that you simply request the certificate and bind it to the relevant website.

e.g.
Here is a link to the iis site explaining how to request accept and bind an SSL cert to a website:
http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

SSL client auth is slightly more complicated, in that you have to determine the model:
If it is a user to server, you could have the private key reside on the server and distribute the public key to users.

If it is a server to server call it could be a situation where the server calling into your application has it's private key and gave you a copy of the public so you can validate it is the calling server:

There are many client ssl scenarios (here are a few below)

http://technet.microsoft.com/en-us/library/cc732996%28v=ws.10%29.aspx

The link above will outline three scenarios.

Map Client Certificates One-to-One (IIS 7)
Map Client Certificates Many-to-One (IIS 7)
Map Client Certificates by Using Active Directory Mapping (IIS 7)


Server SSL for https is a straightforward thing the certificate pair is present on the Web server so when the traffic is encrypted between user and server since the server is the only one with the Private key to complete the handshake.



Client SSL can be any one of a number of scenarios as outlined above.
0
 

Author Comment

by:Anthony Lucia
ID: 39960403
If I am assuming a client to server situation (lets just say a single coient at thist ime),

is the configuration for SSL client auth identical to SSL ?

Many Thanks
0
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
ID: 39960416
No the configuration would not be.

You would have to configure IIS to expect the client certificate and indicate what cert to accept.


This tells you how to set up client certs in IIS 7

http://technet.microsoft.com/en-us/library/cc753983%28v=ws.10%29.aspx
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now