D
David Chan via .NET 247
Is it necessary to install the client certificate to the "certrepository" and have the private key "buried" deep inside theLocalMachine store?
Or, is it common for commercial sites and governmental e-serviceetc to require users to present their certificate by browsingtheir cert only at the time they "log on" the site? Actuallythis is what I'm trying to achieve.
I've read many articles like MSDN etc and succeeded in having theuser to access the site via HTTPS. The site's virtual path isset to require user to present their cert. The site has set a"server certificate" which is issued by a windows 2003 serverwith Certificate Service installed. The server's config isperfectly ok, however awkward stuffs, at least to me, have to bedone on the client part.
For the client certs, they are issued viahttp://Foo_CAServer/certsrv. However, they can access the website only if they specify the client certs as "to be installedin the local machine store". The client cert has to be exportedas a pfx file, which if I've not been mistaken contains both thepublic and private key. This is necessary because if the cert isexported or downloaded in the format, for example, as a base64X.509 .CER file, the user will not be able to use this cert toaccess the page, having Schannel complaining that the clientcert doesn't have a private key.
And the client cert has to be installed in the local machinestore first, and then export the cert _again_ and reinstall itto CU. The reason of doing this is that the page cannot locatethe client cert in the LM store (or is there a way to do so?).This is what I regard as something wierd.
However, is it possible that I can allow the user to get hisnewly issued cert (with private key) saved in a physicallocation like in the harddisk, and when accessing the site heonly need to upload the cert file to the site instead of havingthe cert installed permanently in the cert repository?
Also, if the "upload" thing is possible, in what format shouldthe cert be? I don't think it should be a .CER file because itdoes not contain the private key, which I tried before. Thenshould it be a .pfx file? Is it standard practice that web sitesusually require users to present a cert file which contains bothpublic and private keys, i.e. a .pfx file? Or I might have awrong understanding on how client certs should be issued, if soplease correct me.
Also how should the cert upload be implemented? I'm usingASP.NET, and derived from the message above I guess the codeshould be like this:
// We are in the upload cert page, let's say
// the cert file is already uploaded to path strFile
HttpWebRequest hr = Request;
hr.ClientCertificates.Add(
X509Certificate.CreateFromCertFile(strFile));
string sURLThatNeedsCert = "...";
response.Redirect(sURLThatNeedsCert);
I'm pretty uncertain if I am on the right track, or if the codeis totally nuts...
Sorry for the long post but hope that someone will help out.Thanks in advance!
Or, is it common for commercial sites and governmental e-serviceetc to require users to present their certificate by browsingtheir cert only at the time they "log on" the site? Actuallythis is what I'm trying to achieve.
I've read many articles like MSDN etc and succeeded in having theuser to access the site via HTTPS. The site's virtual path isset to require user to present their cert. The site has set a"server certificate" which is issued by a windows 2003 serverwith Certificate Service installed. The server's config isperfectly ok, however awkward stuffs, at least to me, have to bedone on the client part.
For the client certs, they are issued viahttp://Foo_CAServer/certsrv. However, they can access the website only if they specify the client certs as "to be installedin the local machine store". The client cert has to be exportedas a pfx file, which if I've not been mistaken contains both thepublic and private key. This is necessary because if the cert isexported or downloaded in the format, for example, as a base64X.509 .CER file, the user will not be able to use this cert toaccess the page, having Schannel complaining that the clientcert doesn't have a private key.
And the client cert has to be installed in the local machinestore first, and then export the cert _again_ and reinstall itto CU. The reason of doing this is that the page cannot locatethe client cert in the LM store (or is there a way to do so?).This is what I regard as something wierd.
However, is it possible that I can allow the user to get hisnewly issued cert (with private key) saved in a physicallocation like in the harddisk, and when accessing the site heonly need to upload the cert file to the site instead of havingthe cert installed permanently in the cert repository?
Also, if the "upload" thing is possible, in what format shouldthe cert be? I don't think it should be a .CER file because itdoes not contain the private key, which I tried before. Thenshould it be a .pfx file? Is it standard practice that web sitesusually require users to present a cert file which contains bothpublic and private keys, i.e. a .pfx file? Or I might have awrong understanding on how client certs should be issued, if soplease correct me.
Also how should the cert upload be implemented? I'm usingASP.NET, and derived from the message above I guess the codeshould be like this:
// We are in the upload cert page, let's say
// the cert file is already uploaded to path strFile
HttpWebRequest hr = Request;
hr.ClientCertificates.Add(
X509Certificate.CreateFromCertFile(strFile));
string sURLThatNeedsCert = "...";
response.Redirect(sURLThatNeedsCert);
I'm pretty uncertain if I am on the right track, or if the codeis totally nuts...
Sorry for the long post but hope that someone will help out.Thanks in advance!