IIS, SSL with client certs on web farm

iisiis-7.5ssl-certificate

We're building a web service that will be deployed on an IIS 7.5 farm, and secured through SSL, and also requiring client certs that will be mapped to Active Directory accounts.

My understanding is that the server cert needs to be generated for a specific server. If that is the case then we will need a server cert for each server in the farm. Because the farm will be load balanced, how do we generate client certs that will work with any of the servers in the farm?

Best Answer

Once you have the certificate successfully installed on the first server (the signed cert bound to your CSR). You can then just export the entire certificate and then import it into the remaining servers. There are a ton of existing resources online for the details on how to export and import certificates so I'll skip that here. But here is a link to another article on here to get you started if you need:

Can you import a SSL certificate from another Windows IIS

Related Solutions

Ssl – Multiple SSL certs with Stunnel

You need to use TLS SNI to be able to present two different certificates on the same listening port. Be aware that some clients, notably most browsers running under Windows XP, do not support SNI.

See the sni option in the documentation. Split your certificates into different files (the same private key is used for both public certificates):

[https]
cert = /etc/ssl/domain.com.pem
accept  = 443
connect = 80

[domain]
sni = https:domain.com
sni = https:www.domain.com
cert = /etc/ssl/domain.com.pem
connect = 80

[manager]
sni = https:manager.domain.com
cert = /etc/ssl/manager.domain.com.pem
connect = 80

Windows – IIS no longer trusts any CAs for client authentication

I've faced the same problem, I finally figured out the site was working correctly, but was tricked by the openssl message (which is just negotiation)

The correct steps are:

Set IIS SSL bindings up correctly
netsh http show sslcert and copy the values
Overwrite server SSL certificate binding with netsh http update sslcert ipport=0.0.0.0:443 certhash=.... appid=.... sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable (or netsh http delete followed with the netsh http add)
Verified that settings were applied with netsh http show sslcert
(Windows 2012 R2 only) Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList to 1

The clientcertnegiotiation is needed to show the list to browsers/openssl, with it disabled a well configured client can still send the correct certificate.

Best Answer

Related Solutions

Ssl – Multiple SSL certs with Stunnel

Windows – IIS no longer trusts any CAs for client authentication

Related Topic