SSL Cert authentication: Need to install client cert? Or can I just upload the cert?

Discussion in 'ASP .Net Security' started by David Chan via .NET 247, Jun 2, 2005.

  1. Is it necessary to install the client certificate to the "certrepository" and have the private key "buried" deep inside theLocalMachine store?

    Or, is it common for commercial sites and governmental e-serviceetc to require users to present their certificate by browsingtheir cert only at the time they "log on" the site? Actuallythis is what I'm trying to achieve.

    I've read many articles like MSDN etc and succeeded in having theuser to access the site via HTTPS. The site's virtual path isset to require user to present their cert. The site has set a"server certificate" which is issued by a windows 2003 serverwith Certificate Service installed. The server's config isperfectly ok, however awkward stuffs, at least to me, have to bedone on the client part.

    For the client certs, they are issued viahttp://Foo_CAServer/certsrv. However, they can access the website only if they specify the client certs as "to be installedin the local machine store". The client cert has to be exportedas a pfx file, which if I've not been mistaken contains both thepublic and private key. This is necessary because if the cert isexported or downloaded in the format, for example, as a base64X.509 .CER file, the user will not be able to use this cert toaccess the page, having Schannel complaining that the clientcert doesn't have a private key.

    And the client cert has to be installed in the local machinestore first, and then export the cert _again_ and reinstall itto CU. The reason of doing this is that the page cannot locatethe client cert in the LM store (or is there a way to do so?).This is what I regard as something wierd.

    However, is it possible that I can allow the user to get hisnewly issued cert (with private key) saved in a physicallocation like in the harddisk, and when accessing the site heonly need to upload the cert file to the site instead of havingthe cert installed permanently in the cert repository?

    Also, if the "upload" thing is possible, in what format shouldthe cert be? I don't think it should be a .CER file because itdoes not contain the private key, which I tried before. Thenshould it be a .pfx file? Is it standard practice that web sitesusually require users to present a cert file which contains bothpublic and private keys, i.e. a .pfx file? Or I might have awrong understanding on how client certs should be issued, if soplease correct me.

    Also how should the cert upload be implemented? I'm usingASP.NET, and derived from the message above I guess the codeshould be like this:

    // We are in the upload cert page, let's say
    // the cert file is already uploaded to path strFile
    HttpWebRequest hr = Request;
    hr.ClientCertificates.Add(
    X509Certificate.CreateFromCertFile(strFile));
    string sURLThatNeedsCert = "...";
    response.Redirect(sURLThatNeedsCert);

    I'm pretty uncertain if I am on the right track, or if the codeis totally nuts...
    Sorry for the long post but hope that someone will help out.Thanks in advance!

    --------------------------------
    From: David Chan

    -----------------------
    Posted by a user from .NET 247 (http://www.dotnet247.com/)

    <Id>r7jkc/VKJk6mGrWOB6wcBw==</Id>
     
    David Chan via .NET 247, Jun 2, 2005
    #1
    1. Advertising

  2. Hello David Chan via .NET 247,

    the cert has to be available via cryptoAPI - and the IE will present you
    with a dialog from where you can choose the right one.

    This could be the cert store on the harddrive or a smartcard/token.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Is it necessary to install the client certificate to the "cert
    > repository" and have the private key "buried" deep inside the
    > LocalMachine store?
    > Or, is it common for commercial sites and governmental e-service
    > etc to require users to present their certificate by browsing
    > their cert only at the time they "log on" the site? Actually
    > this is what I'm trying to achieve.
    > I've read many articles like MSDN etc and succeeded in having the
    > user to access the site via HTTPS. The site's virtual path is
    > set to require user to present their cert. The site has set a
    > "server certificate" which is issued by a windows 2003 server
    > with Certificate Service installed. The server's config is
    > perfectly ok, however awkward stuffs, at least to me, have to be
    > done on the client part.
    > For the client certs, they are issued via
    > http://Foo CAServer/certsrv. However, they can access the web
    > site only if they specify the client certs as "to be installed
    > in the local machine store". The client cert has to be exported
    > as a pfx file, which if I've not been mistaken contains both the
    > public and private key. This is necessary because if the cert is
    > exported or downloaded in the format, for example, as a base64
    > X.509 .CER file, the user will not be able to use this cert to
    > access the page, having Schannel complaining that the client
    > cert doesn't have a private key.
    > And the client cert has to be installed in the local machine
    > store first, and then export the cert again and reinstall it
    > to CU. The reason of doing this is that the page cannot locate
    > the client cert in the LM store (or is there a way to do so?).
    > This is what I regard as something wierd.
    > However, is it possible that I can allow the user to get his
    > newly issued cert (with private key) saved in a physical
    > location like in the harddisk, and when accessing the site he
    > only need to upload the cert file to the site instead of having
    > the cert installed permanently in the cert repository?
    > Also, if the "upload" thing is possible, in what format should
    > the cert be? I don't think it should be a .CER file because it
    > does not contain the private key, which I tried before. Then
    > should it be a .pfx file? Is it standard practice that web sites
    > usually require users to present a cert file which contains both
    > public and private keys, i.e. a .pfx file? Or I might have a
    > wrong understanding on how client certs should be issued, if so
    > please correct me.
    > Also how should the cert upload be implemented? I'm using
    > ASP.NET, and derived from the message above I guess the code
    > should be like this:
    > // We are in the upload cert page, let's say
    > // the cert file is already uploaded to path strFile
    > HttpWebRequest hr = Request;
    > hr.ClientCertificates.Add(
    > X509Certificate.CreateFromCertFile(strFile));
    > string sURLThatNeedsCert = "...";
    > response.Redirect(sURLThatNeedsCert);
    > I'm pretty uncertain if I am on the right track, or if the code
    > is totally nuts...
    > Sorry for the long post but hope that someone will help out.
    > Thanks in advance!
    > --------------------------------
    > From: David Chan
    > -----------------------
    > Posted by a user from .NET 247 (http://www.dotnet247.com/)
    > <Id>r7jkc/VKJk6mGrWOB6wcBw==</Id>
    >
     
    Dominick Baier [DevelopMentor], Jun 2, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Grey

    integrate with SSL Cert

    Grey, May 21, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    341
    Eliyahu Goldin
    May 21, 2004
  2. Mfenetre
    Replies:
    11
    Views:
    1,691
    Joe Kaplan \(MVP - ADSI\)
    Oct 12, 2005
  3. gardavis
    Replies:
    0
    Views:
    252
    gardavis
    Jul 2, 2004
  4. bradjpeek
    Replies:
    0
    Views:
    171
    bradjpeek
    Dec 20, 2006
  5. Replies:
    2
    Views:
    280
Loading...

Share This Page