Require SSL certificate

[Martin]

Hi,

i am hoping to get some advice on the best way to achieve the following.

I have a website and a security certificate, i install the security
certificate for the site.
from that point on I want to ensure that all visitors to the site are
1. coming over Https
2. have my SSL certificate installed.

I guess that i can examine the server variables collection to ensure that
they are coming over https, however I am unsure of how to determine if they
have my ssl cerificate installed.

any help or pointers to articles of interest is appreciated.

cheers

martin.

 

[Paul Glavich [MVP ASP.NET]]

In your code you can use:-

bool IsUsingSSL;
IsUsingSSL = Request.IsSecureConnection;

This will be true if running under SSL.

Once a web cert is associated with a site, it doesn't need to be installed
into the clients machines, it simply needs to descend from a valid
certification authority root cert. The fact you have requested a cert and
installed it via that request associates it with your site. In the browser,
you can click on the padlock and verify its using your requested
certificate.

 

[Joe Kaplan \(MVP - ADSI\)]

Actually, you should only need to give them the root certificate in the
trust chain the issued your certificate and have all the clients install
that in their trusted roots store. This will allow them to trust your
certificate when they receive it via SSL and should allow you to proceed
without any warnings.

Note that this is not the same thing as a client certificate, as you are not
trying to authenticate your clients with this certificate, you just want
them to trust you.

If this is unacceptable to your clients, then you can always get a
commercial cert that chains to a standard publicly trusted root.

Joe K.

 

[Joe Kaplan \(MVP - ADSI\)]

So wait, you want to use the same certifcate for server authentication AND
client authentication? I suppose you could do that if the certificate has
both of the required key usages. I've just never heard of anyone doing that
before. It will need both client and server authentication.

SSL supports server-only authentication and client + server authentication.
If you want to ensure client authentication, you can't just check
IsSecureConnection property. That is only sufficient to determine if there
is SSL with server authentication.

To get client certificates, you need to change the appropriate IIS security
settings in your SSL config to require client certificates. Then, you will
be able to see the authenticated client certificates via the
Request.ClientCertificate property. You can then examine the certificate to
make sure it is whatever you want it to be.

HTH,

Joe K.