Safari, IIS and optional Client Certificates

Question

I've a ASP.Net Webapp running on IIS7.5. The Webserver is configured to accept Client Certifcates. Unfortunately Visitors with Safari Browser are unable to view the Page. Same Problem as described under the following link: http://www.mnxsolutions.com/apache/safari-providing-an-ssl-error-client-certificate-rejected%E2%80%9D-when-other-browsers-work.html Does anyone knows how to solve this?

I'd really appreciate your help.

edit: Seems to be the same problem: https://superuser.com/questions/231695/iis7-5-ssl-question-safari-users-get-a-prompt-of-certificate-to-select

Go to IIS - click on website - click on ssl settings - select option to ignore client - click apply. works :) — batman, Jan 21 '15 at 18:53

Brennan · Answer 1 · 2012-04-10T18:28:54.343

Although the webserver is set to accept certificates, have you:

(A) created a trust relationship to the client certificates in question on the server?

(B) created mappings to those specific certificates on IIS?

(C) created a trust relationship to the server certificates in question on the clients?

(D) ensured that the safari clients have an updated list of root CAs, having a path back to above certificates in question?

References:

A - http://forums.iis.net/p/1166684/1940339.aspx

B - http://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings/

C - Depends on the operating system in question. Safari on Windows uses the Windows trust store, for OS X http://docs.info.apple.com/article.html?path=Mac/10.5/en/11871.html

D - http://www.techrepublic.com/blog/mac/managing-ssl-certificate-authorities-on-os-x/314

score 1 · Answer 2 · answered Jan 28 '15 at 13:23

I had this issue with a Windows Server 2008 R2 Datacenter IIS. The solution to my problem was to:

Open up your server remotely
Start your IIS manager
Under the left Connections panel look for the domain that is giving you the problem with the SSL
After locating and selecting it click on SSL Settings
Under Client certificates choose Ignore
Click Apply Under the Actions section on the right

Done.

score 0 · Answer 3 · edited Mar 20 '17 at 10:16

0

The OP in the Super User question that was linked has solved this:

OK, that does resolve this issue. Safari is the only browser which prompts the certificate selection. It isn't even required in IIS. Strict apple ppl :P but setting SSL client certificates to ignore does resolve it.

Seems like Accept means that it will check it and Ignore that it won't check it.

So I think "ignore" means "accept the certificate" and "accept" means "check the certificate".

edited Mar 20 '17 at 10:16

Community

1

answered Apr 04 '12 at 18:04

Tamara Wijsman

388
2
4
16

Nope. Ignore means ignore. You can set ignore only you if don't need client certificate at all. – x2. Apr 05 '12 at 03:25
@x2: So, the OP said `same problem` twice while it's actually not the same problem? Confusing... – Tamara Wijsman Apr 05 '12 at 07:36

Safari, IIS and optional Client Certificates

3 Answers3