Client Side Certificate

Discussion in 'ASP .Net Security' started by A.M, Apr 30, 2004.

  1. A.M

    A.M Guest

    Hi,

    Regarding Microsoft Knowledge Base Article : 315588, We have 60 clients for
    our ASP.NET application.
    Do we need to buy an SSL Key from Verisign.com for each client to have
    client side certificate?

    Thanks,
    Allan
     
    A.M, Apr 30, 2004
    #1
    1. Advertising

  2. A.M

    A.M Guest

    Thanks for help.

    Those 60 clients are our employee, so we define who they trust! The are
    mobile users and they use internet to connect to office.

    Do we need to open that certificate server to public internet?

    Allan




    "" <> wrote
    in message news:...
    > One option is to setup your on Certificate Server and issue your own

    certificates. This is an install option in Windows 2000 Server and
    later.(Perhaps in earlier OSs but this is what I'm running.) This is viable
    if the 60 clients have reason to "trust" your organization as a root
    certificate authority. You can also issue your own server certificate as
    well. This works well if trust is established with your clients. This
    whole scheme depends upon the degree of trust in the certificate authority,
    if you don't trust the CA, don't install their certificates!
    >
    > Eagle
     
    A.M, Apr 30, 2004
    #2
    1. Advertising

  3. A.M

    Guest

    In the scenario you describe you would not expose your certificate server to the public internet. This would be done only if you are going to service certificate requests from the general public, like Verisign and other do. Read the Windows documentation on setting up a certificate server. The basics aren't difficult, the details can get messy with things like custom policies. You can issue your own certs and have the employess install them in their personal certificate stores.
     
    , Apr 30, 2004
    #3
  4. A.M

    Guest

    Check the "testing SSL" thread below.
     
    , Apr 30, 2004
    #4
  5. A.M

    WJ Guest

    "A.M" <> wrote in message
    news:...
    > Thanks for help.
    >
    > Those 60 clients are our employee, so we define who they trust! The are
    > mobile users and they use internet to connect to office.


    I would not use client certificate in this case. Since there are only 60
    employees, why not use Integrated Windows Authentication in IIS ? This
    method also allows your 60 clients to logon to your asp.Net site from
    anywhere using any devices, all they need is their logon ID & password. The
    certificate method only allows you to work on the device where the
    certificate is installed originally. In short, certificate is good for
    signing documents, this is where it is most used.

    John
     
    WJ, May 2, 2004
    #5
  6. Note that while in theory all these answers are correct, setting up your own
    CA and issuing your own client certs does have its quirks. Firstly, you need
    to make sure that the "Certificate revocation List" (CRL) is installed on
    the web server that you are using your clients certs against. Failure to do
    this will mean that the server cannot access the CRL via the internet (I am
    assuming its not internet visible) and so not be able to access the CRL to
    see if the client cert has been revoked. in this scenario, it assumes all
    certs are invalid and rejects everything. We spent some time just figuring
    this little trick out. Also, make sure you set up a certificate trust list
    so that the server "trusts" your self signed CA certs and therefore also
    accepts client certs from your CA.

    Finally, if running Win2k, make sure any hotfixes have *all* dependent fixes
    installed, or that the Win2k box is up to Sp3 or above. In one instance, our
    server team had installed a series of patches, except one, and this omission
    also caused the server to reject all client certs. Yet more weeks of tim
    debugging this.

    I guess what I am trying to say is that in each case, the same error (client
    certificate revoked) was shown even though the problem resolution was
    different. It can be a lot trickier than you realise, but certainly possible
    to get going.

    --
    - Paul Glavich
    Microsoft MVP - ASP.NET


    "A.M" <> wrote in message
    news:...
    > Thanks for help.
    >
    > Those 60 clients are our employee, so we define who they trust! The are
    > mobile users and they use internet to connect to office.
    >
    > Do we need to open that certificate server to public internet?
    >
    > Allan
    >
    >
    >
    >
    > "" <> wrote
    > in message news:...
    > > One option is to setup your on Certificate Server and issue your own

    > certificates. This is an install option in Windows 2000 Server and
    > later.(Perhaps in earlier OSs but this is what I'm running.) This is

    viable
    > if the 60 clients have reason to "trust" your organization as a root
    > certificate authority. You can also issue your own server certificate as
    > well. This works well if trust is established with your clients. This
    > whole scheme depends upon the degree of trust in the certificate

    authority,
    > if you don't trust the CA, don't install their certificates!
    > >
    > > Eagle

    >
    >
     
    Paul Glavich [MVP - ASP.NET], May 2, 2004
    #6
  7. Hi Allan,

    I'm viewing this thread and found that many other community members are
    discussing with you in another thread named
    "RE: Client Side Certificate" in this newsgroup.
    If you feel it convenient that we continue to focus on that one, please
    feel free to post there. Thanks.

    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], May 3, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Boss302
    Replies:
    0
    Views:
    1,109
    Boss302
    Nov 21, 2006
  2. Ryou kaihou
    Replies:
    0
    Views:
    497
    Ryou kaihou
    Jun 19, 2007
  3. Bogdan
    Replies:
    2
    Views:
    688
    Bogdan
    Jun 9, 2008
  4. Stone
    Replies:
    0
    Views:
    1,045
    Stone
    Sep 9, 2011
  5. Zoe Hart
    Replies:
    1
    Views:
    405
    Scott Wisniewski
    Jan 8, 2004
Loading...

Share This Page