Require only specific client certificates in IIS

I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.

I've set the SSL Settings to Require SSL and require client certificates. Looks good so far. Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:

When the server prompts for a certificate, the request includes a list of the certification authorities that the server trusts. The client then compares this list to the list of certification authorities that the client trusts and creates a list of the ones that match. Then, the client compares that list to the client certificates it has and determines which, if any, certificates have been issued by certification authorities that both the client and the server trust.

Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.

What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?

Jeremy

Posted 2014-01-14T18:09:49.690

Reputation: 368

@Jeremy did you ever find a solution to this problem? – ahsteele – 2017-01-24T20:31:52.503

@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :) – Jeremy – 2017-01-24T21:26:43.597

@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust. – ahsteele – 2017-01-24T22:13:19.320

@ahsteele - in our case it's actually software that makes the request, not a user browsing, so the software is configured for a specific certificate. So the user doesn't have to pick a certificate and be presented with that choice. – Jeremy – 2017-01-25T17:23:46.493

@ahsteele - in a wcf service you can write a custom certificate validator. See https://msdn.microsoft.com/en-us/library/ms733806(v=vs.110).aspx and https://msdn.microsoft.com/en-us/library/aa354512(v=vs.110).aspx

– Jeremy – 2017-01-25T17:26:25.273

The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates. – Brian – 2014-01-14T19:02:29.630

2@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate? – Jeremy – 2014-01-15T20:55:23.673

Answers

This post assumes that you have successfully set up a web site that requires a client certificate that the server trusts.

See this post for creating and allowing client certificates in IIS and IIS Express if you do not have that already: https://stackoverflow.com/a/57311258/3850405

For this to work some say that IIS Client Certificate Mapping Authentication needs to be enabled but I have tried this on a Windows Server 2012 R2 Datacenter and it worked anyway. However I think it is good to add and it is the recommended approach so add it via Add Roles and Features or Turn Windows features on or off dependent on your OS.

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/onetoonemappings/

Start by navigating to your site in IIS Manager and click on Configuration Editor.

From there navigate to Section system.webServer/security/authentication/iisClientCertificateMappingAuthentication or simply paste the string in the Section field.

Set enabled to True and then add a oneToOneMappings.

To get value for certificate property start mmc.exe and export your client certificate. Mine is located at Personal certificates for Local Computer.

File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer

Certificates (Local Computer) -> Personal -> Certificates -> Right click on your client certificate -> All tasks -> Export...

When the Certificate Export Wizard opens:

Click Next.
Choose No, do not export the private key, then click Next.
Choose Base-64 encoded X.509 9 (.CER) for the export format, then click Next.
Choose to save the certificate to your desktop as
MyCertificate.cer, then click Next.
Click Finish; you should see a dialog box that says the export was successful.

Open the MyCertificate.cer file that you exported using Windows Notepad:

Remove "-----BEGIN CERTIFICATE-----" from the start of the text.
Remove "-----END CERTIFICATE-----" from the end of the text.
Concatenate all the lines into a single line of text. This is the data you need.

I usually use Notepad++ and remove all \r\n since I think this is faster.

How do I remove linebreaks in Notepad++?

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/onetoonemappings/

Then last step is to add a local userName and password for a user on that computer/server. In the end it should look something like this.

Save the values and then your web site will require a specific client certificate.

Ogglas

Posted 2014-01-14T18:09:49.690

Reputation: 920

-1

I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.

https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/

Carlos Guevara

Posted 2014-01-14T18:09:49.690

Reputation: 1

Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

– bertieb – 2019-01-05T15:53:23.210