Require SSL certificate

Discussion in 'ASP .Net Security' started by Martin, May 2, 2005.

  1. Martin

    Martin Guest

    Hi,

    i am hoping to get some advice on the best way to achieve the following.

    I have a website and a security certificate, i install the security
    certificate for the site.
    from that point on I want to ensure that all visitors to the site are
    1. coming over Https
    2. have my SSL certificate installed.

    I guess that i can examine the server variables collection to ensure that
    they are coming over https, however I am unsure of how to determine if they
    have my ssl cerificate installed.

    any help or pointers to articles of interest is appreciated.

    cheers

    martin.
     
    Martin, May 2, 2005
    #1
    1. Advertising

  2. In your code you can use:-

    bool IsUsingSSL;
    IsUsingSSL = Request.IsSecureConnection;

    This will be true if running under SSL.

    Once a web cert is associated with a site, it doesn't need to be installed
    into the clients machines, it simply needs to descend from a valid
    certification authority root cert. The fact you have requested a cert and
    installed it via that request associates it with your site. In the browser,
    you can click on the padlock and verify its using your requested
    certificate.


    --

    - Paul Glavich
    ASP.NET MVP
    ASPInsider (www.aspinsiders.com)


    "Martin" <> wrote in message
    news:e12$...
    > Hi,
    >
    > i am hoping to get some advice on the best way to achieve the following.
    >
    > I have a website and a security certificate, i install the security
    > certificate for the site.
    > from that point on I want to ensure that all visitors to the site are
    > 1. coming over Https
    > 2. have my SSL certificate installed.
    >
    > I guess that i can examine the server variables collection to ensure that
    > they are coming over https, however I am unsure of how to determine if

    they
    > have my ssl cerificate installed.
    >
    > any help or pointers to articles of interest is appreciated.
    >
    > cheers
    >
    > martin.
    >
    >
    >
     
    Paul Glavich [MVP ASP.NET], May 2, 2005
    #2
    1. Advertising

  3. Actually, you should only need to give them the root certificate in the
    trust chain the issued your certificate and have all the clients install
    that in their trusted roots store. This will allow them to trust your
    certificate when they receive it via SSL and should allow you to proceed
    without any warnings.

    Note that this is not the same thing as a client certificate, as you are not
    trying to authenticate your clients with this certificate, you just want
    them to trust you.

    If this is unacceptable to your clients, then you can always get a
    commercial cert that chains to a standard publicly trusted root.

    Joe K.

    "Martin" <> wrote in message
    news:...
    > Thanks for that.
    >
    > The security certifate I have was issued by the organization that I work
    > for.
    > we are only planning to distribute it to customers that we want to go to
    > our secure site so the way I see it we will physically have to give the
    > certificate to the client and have them install it in their browser
    > certificate store.
    >
    >
    > cheers
    >
    > martin.
    >
    >
    >
    >
    >
    >
    >
    > "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in message
    > news:...
    >> In your code you can use:-
    >>
    >> bool IsUsingSSL;
    >> IsUsingSSL = Request.IsSecureConnection;
    >>
    >> This will be true if running under SSL.
    >>
    >> Once a web cert is associated with a site, it doesn't need to be
    >> installed
    >> into the clients machines, it simply needs to descend from a valid
    >> certification authority root cert. The fact you have requested a cert and
    >> installed it via that request associates it with your site. In the
    >> browser,
    >> you can click on the padlock and verify its using your requested
    >> certificate.
    >>
    >>
    >> --
    >>
    >> - Paul Glavich
    >> ASP.NET MVP
    >> ASPInsider (www.aspinsiders.com)
    >>
    >>
    >> "Martin" <> wrote in message
    >> news:e12$...
    >>> Hi,
    >>>
    >>> i am hoping to get some advice on the best way to achieve the following.
    >>>
    >>> I have a website and a security certificate, i install the security
    >>> certificate for the site.
    >>> from that point on I want to ensure that all visitors to the site are
    >>> 1. coming over Https
    >>> 2. have my SSL certificate installed.
    >>>
    >>> I guess that i can examine the server variables collection to ensure
    >>> that
    >>> they are coming over https, however I am unsure of how to determine if

    >> they
    >>> have my ssl cerificate installed.
    >>>
    >>> any help or pointers to articles of interest is appreciated.
    >>>
    >>> cheers
    >>>
    >>> martin.
    >>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), May 2, 2005
    #3
  4. So wait, you want to use the same certifcate for server authentication AND
    client authentication? I suppose you could do that if the certificate has
    both of the required key usages. I've just never heard of anyone doing that
    before. It will need both client and server authentication.

    SSL supports server-only authentication and client + server authentication.
    If you want to ensure client authentication, you can't just check
    IsSecureConnection property. That is only sufficient to determine if there
    is SSL with server authentication.

    To get client certificates, you need to change the appropriate IIS security
    settings in your SSL config to require client certificates. Then, you will
    be able to see the authenticated client certificates via the
    Request.ClientCertificate property. You can then examine the certificate to
    make sure it is whatever you want it to be.

    HTH,

    Joe K.

    "Martin" <> wrote in message
    news:...
    > Hi joe,
    >
    >> Note that this is not the same thing as a client certificate, as you are
    >> not trying to authenticate your clients with this certificate, you just
    >> want them to trust you.

    >
    > so is it possible to authticate my client with this certificate by using
    > the method that Paul suggested
    >
    > bool IsUsingSSL;
    > IsUsingSSL = Request.IsSecureConnection;
    >
    > I am using the certificate for two reasons.
    > 1. to ensure that all communication is secure and done over HTTPS.
    > 2.to actually authenticate the client. I don't want people using this site
    > would have not been issued with this certificate.
    >
    > maybe I should be using another method.
    > I don't actually want to buy a commercial certificate, I am going to have
    > my company issue it and then distribute it to my clients.
    >
    > is this a feasible solution that will meet the needs of 1 and 2 above or
    > do I have to rethink my solution.
    >
    > many thanks in advance.
    >
    > martin.
    >
    >
    >
    >
    >
    >
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> Actually, you should only need to give them the root certificate in the
    >> trust chain the issued your certificate and have all the clients install
    >> that in their trusted roots store. This will allow them to trust your
    >> certificate when they receive it via SSL and should allow you to proceed
    >> without any warnings.
    >>
    >> Note that this is not the same thing as a client certificate, as you are
    >> not trying to authenticate your clients with this certificate, you just
    >> want them to trust you.
    >>
    >> If this is unacceptable to your clients, then you can always get a
    >> commercial cert that chains to a standard publicly trusted root.
    >>
    >> Joe K.
    >>
    >> "Martin" <> wrote in message
    >> news:...
    >>> Thanks for that.
    >>>
    >>> The security certifate I have was issued by the organization that I work
    >>> for.
    >>> we are only planning to distribute it to customers that we want to go to
    >>> our secure site so the way I see it we will physically have to give the
    >>> certificate to the client and have them install it in their browser
    >>> certificate store.
    >>>
    >>>
    >>> cheers
    >>>
    >>> martin.
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> "Paul Glavich [MVP ASP.NET]" <-NOSPAM> wrote in
    >>> message news:...
    >>>> In your code you can use:-
    >>>>
    >>>> bool IsUsingSSL;
    >>>> IsUsingSSL = Request.IsSecureConnection;
    >>>>
    >>>> This will be true if running under SSL.
    >>>>
    >>>> Once a web cert is associated with a site, it doesn't need to be
    >>>> installed
    >>>> into the clients machines, it simply needs to descend from a valid
    >>>> certification authority root cert. The fact you have requested a cert
    >>>> and
    >>>> installed it via that request associates it with your site. In the
    >>>> browser,
    >>>> you can click on the padlock and verify its using your requested
    >>>> certificate.
    >>>>
    >>>>
    >>>> --
    >>>>
    >>>> - Paul Glavich
    >>>> ASP.NET MVP
    >>>> ASPInsider (www.aspinsiders.com)
    >>>>
    >>>>
    >>>> "Martin" <> wrote in message
    >>>> news:e12$...
    >>>>> Hi,
    >>>>>
    >>>>> i am hoping to get some advice on the best way to achieve the
    >>>>> following.
    >>>>>
    >>>>> I have a website and a security certificate, i install the security
    >>>>> certificate for the site.
    >>>>> from that point on I want to ensure that all visitors to the site are
    >>>>> 1. coming over Https
    >>>>> 2. have my SSL certificate installed.
    >>>>>
    >>>>> I guess that i can examine the server variables collection to ensure
    >>>>> that
    >>>>> they are coming over https, however I am unsure of how to determine if
    >>>> they
    >>>>> have my ssl cerificate installed.
    >>>>>
    >>>>> any help or pointers to articles of interest is appreciated.
    >>>>>
    >>>>> cheers
    >>>>>
    >>>>> martin.
    >>>>>
    >>>>>
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), May 3, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. R.A.

    ssl certificate

    R.A., May 12, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    450
    MattB
    May 12, 2004
  2. John Nagle
    Replies:
    11
    Views:
    658
    =?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=
    Dec 14, 2006
  3. Bob
    Replies:
    0
    Views:
    208
  4. Helena Cai
    Replies:
    0
    Views:
    439
    Helena Cai
    Aug 29, 2004
  5. Replies:
    0
    Views:
    444
Loading...

Share This Page