Client Side Certificate

[A.M]

Hi,

Regarding Microsoft Knowledge Base Article : 315588, We have 60 clients for
our ASP.NET application.
Do we need to buy an SSL Key from Verisign.com for each client to have
client side certificate?

Thanks,
Allan

 

[A.M]

Thanks for help.

Those 60 clients are our employee, so we define who they trust! The are
mobile users and they use internet to connect to office.

Do we need to open that certificate server to public internet?

Allan

One option is to setup your on Certificate Server and issue your own

certificates. This is an install option in Windows 2000 Server and
later.(Perhaps in earlier OSs but this is what I'm running.) This is viable
if the 60 clients have reason to "trust" your organization as a root
certificate authority. You can also issue your own server certificate as
well. This works well if trust is established with your clients. This
whole scheme depends upon the degree of trust in the certificate authority,
if you don't trust the CA, don't install their certificates!

 

[EagleRed]

In the scenario you describe you would not expose your certificate server to the public internet. This would be done only if you are going to service certificate requests from the general public, like Verisign and other do. Read the Windows documentation on setting up a certificate server. The basics aren't difficult, the details can get messy with things like custom policies. You can issue your own certs and have the employess install them in their personal certificate stores.

 

[EagleRed]

Check the "testing SSL" thread below.

 

[WJ]

Thanks for help.

Those 60 clients are our employee, so we define who they trust! The are
mobile users and they use internet to connect to office.

I would not use client certificate in this case. Since there are only 60
employees, why not use Integrated Windows Authentication in IIS ? This
method also allows your 60 clients to logon to your asp.Net site from
anywhere using any devices, all they need is their logon ID & password. The
certificate method only allows you to work on the device where the
certificate is installed originally. In short, certificate is good for
signing documents, this is where it is most used.

John

 

[Paul Glavich [MVP - ASP.NET]]

Note that while in theory all these answers are correct, setting up your own
CA and issuing your own client certs does have its quirks. Firstly, you need
to make sure that the "Certificate revocation List" (CRL) is installed on
the web server that you are using your clients certs against. Failure to do
this will mean that the server cannot access the CRL via the internet (I am
assuming its not internet visible) and so not be able to access the CRL to
see if the client cert has been revoked. in this scenario, it assumes all
certs are invalid and rejects everything. We spent some time just figuring
this little trick out. Also, make sure you set up a certificate trust list
so that the server "trusts" your self signed CA certs and therefore also
accepts client certs from your CA.

Finally, if running Win2k, make sure any hotfixes have *all* dependent fixes
installed, or that the Win2k box is up to Sp3 or above. In one instance, our
server team had installed a series of patches, except one, and this omission
also caused the server to reject all client certs. Yet more weeks of tim
debugging this.

I guess what I am trying to say is that in each case, the same error (client
certificate revoked) was shown even though the problem resolution was
different. It can be a lot trickier than you realise, but certainly possible
to get going.

 

[Steven Cheng[MSFT]]

Hi Allan,

I'm viewing this thread and found that many other community members are
discussing with you in another thread named
"RE: Client Side Certificate" in this newsgroup.
If you feel it convenient that we continue to focus on that one, please
feel free to post there. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)