«
»

How to develop secure .NET applications using Server SSL Certificates and Client Certificates – PART 2

February 19, 2009 - 9:56 pm No Comments

The following article is part 2 in a 4 part series of articles about developing .NET applications using SSL. Part 1 in this series can be found here.


Setting Up Client Certificates

Client certificates can be used to authenticate the client connecting to a web application. The client can either be a browser or a custom written client application.


Requesting a client certificate:

  1. Open IE (Firefox didn’t work so well for me…) and type in: http://<certauthservername>/certsrv/
  2. Click on the “Request a certificate” link.
  3. Click on the “Web Browser Certificate” link.
  4. Enter all required information into the form shown above click “Submit”

Issue the client certificate from your test Certification Authority:
  1. Log onto the Windows Server 2003 machine and open the Certification Authority dialog from Administrative Tools.
  2. Expand the root certification authority “Pending Requests” folder.
  3. The certificate you just requested should be in the “Pending Requests” folder. Right-click on this request and select All Tasks > Issue. The certificate request will be removed from the “Pending Requests” folder and appear in the “Issued Certificates”.

Retrieve the certificate and install it into the Current User > Personal Store:
  1. Go back to IE on your web server and type in http://<certauthservername>/certsrv/ again.
  2. Click on the “View the status of a pending certificate request” link.
  3. Click on the certificate request you want to view.
  4. Click on the “Install this certificate” link.
  5. Click “Yes” on the dialog that opens to install the client certificate.
  6. Click “Yes” on the next dialog as well.

Requiring client certificates at web application with IIS:

Once a client certificate has been requested, issued and installed on a client machine, a web application can be set up to require client certificates.  For extra security, client certificates can also be mapped to a windows account user.
  1. On the client machine, open a Microsoft Management Console with the Certificates snap-in. Export the client certificate without the private key. This will generate a .cer file. Copy this file over to the server hosting the web application.
  2. On the server hosting the web application, right-click the website in IIS and select “Properties”.
  3. Under Properties, go to the “Directory Security” tab.
  4. Under the Secure Communications section, click the “Edit” button.
  5. In the Secure Communications dialog, change the “Client Certificates” option to “Require client certificates” and check the “Enable client certificate mapping” checkbox.
  6. Click on the “Edit” button in the “Enable client certificate mapping” section.
  7. This will open up the Account Mappings dialog.
  8. Click the “Add” button.
  9. Select the client certificate .cer file recently exported from the server that hosts the client application or client browser.
  10. Give the mapping a relevant name and choose the windows user that the web application will be run under.
  11. Click OK.
  12. Click OK to close the Account Mappings dialog and Secure Communications dialogs.
  13. Remove all other authentication options in the IIS manager Directory Security setting by clicking on the “Edit” button under Anonymous access and authentication control in the Directory Security tab.
  14. Uncheck all authentication options and press OK.
  15. Open up a browser and verify that you cannot reach the web site unless you navigate to it from the machine that has the client certificate installed on it.
  • Share/Bookmark

Tags: , ,   Posted Coding, Technology |

Leave a Reply