I have been trying to get a webservice we are creating to require client certificates
for connections for several weeks and haven't been having much luck. I thought that
I would attempt to make a simple website that requires client certificates to remove
all the additional webservice code from the equation. Even though all the online
tutorials made this look like it would be a much easier process, I've still had no
luck. I'm not sure if I'm missing a settings in IIS or something simply isn't
installed.
The server is Windows Server 2008 Web Edition. My local client box is Windows 7.
I have detailed every step I took to create this test website.
First I had to create my test certificates.
From a Windows 7 SDK 7.1 Command Prompt on my local machine, I ran these commands:
makecert.exe -r -n "CN=My Personal CA" -pe -sv MyPersonalCA.pvk -a sha1 -len 2048 -cy authority MyPersonalCA.cer
makecert.exe -iv MyPersonalCA.pvk -ic MyPersonalCA.cer -n "CN=John Doe" -pe -sv JohnDoe.pvk -a sha1 -len 2048 -sky exchange JohnDoe.cer -eku 1.3.6.1.5.5.7.3.2
pvk2pfx.exe -pvk JohnDoe.pvk -spc JohnDoe.cer -pfx JohnDoe.pfx -po password
After these commands, I had these files:
MyPersonalCA.cer
MyPersonalCA.pvk
JohnDoe.cer
JohnDoe.pfx
JohnDoe.pvk
I then imported the following into IE on my local machine (Tools->Internet Options->Content->Certificates-Import):
JohnDoe.pfx into the "Personal" store (in "Advanced" make sure that "Client Authentication" is selected)
MyPersonalCA.cer into the "Trusted Root Certification Authrorities" store
On the server, I imported the follosing certs using the MMC Certificates snap-in:
JohnDoe.cer into [Local Computer\Personal] and [Current User\Personal]
MyPersonalCA.cer into [Local Computer\Trusted Root Certification Authorities] and
[Current User\Trusted Root Certification Authorities]
I created a blank VB.NET (VS2008) web application and deployed it to the server.
In IIS, I assigned this application to an application pool running as administrator
to avoid any permissions issues (yes, I'll fix this later).
In IIS, I changes the SSL Settings for the application like this:
Check "Require SSL"
Under "Client Certificates", select "Require"
I also assigned 403.7 and 403.5 errors to custom error pages so I could tell which 403 error I was getting.
IE should prompt to select a client certificate when
going to the page. Since newer versions of IE do not prompt if there are no matching
certificates, I found an old box with IE6, and on that box (with the certificates
installed) I do get the Client Certificate dialog box, but no certificates are listed.
IE10 on my developer box never opens a prompt. I just get an immediate 403.7
Can anybody tell me where I am going wrong here? Does IIS require additional
setup for this to work?
While submitting this question, I stumbled across another post talking about
MakeCTL and netssh. From this I found that if I run:
netssh http show sslcert
I get a list of settings including this:
Negotiate Client Certificate : Disabled
Does this need to be turned on? If so, how do I turn this on? The limited
instructions I've managed to find make it sound like I would need to delete
the SSL binding and re-add it. I'm hesitant to play around with this since
the server is in use.
Best Answer
I had a similar error where a self signed client cert which I had added to the Trusted Root CAs for the local machine was not being accepted. I resolved by applying the fix described here: https://support.microsoft.com/en-au/kb/2801679
In short if there are too many certs in your trusted root CAs list then the list of acceptable root certs presented to the caller are truncated. If you are unlucky then the root cert you need is not included and the system will conclude that you don't have any acceptable certs. You can diagnose this issue by looking for warnings in your system event log for your IIS server raised by "Schannel" with event code 36885. The fix is to delete a registry key... more detail in the above MS link.