Ssl – IIS7.5 – Personal SSL certificates for multiple users

iis-7.5sslssl-certificatewindows-server-2008-r2

I want to get a security model implemented, but I'm not sure what terminology IIS/SSL uses in order to do that. Nor do I know how to make it happen in IIS7.5

The process I want to have

  • Administrator users (multiple) of a website create a personal certificate (.p12/.pfx/something)
  • Server operator installs one side of this certificate to IIS (for each admin)
  • Administrator imports the other side of certificate to their browser
  • Administrator then authenticates to their administration area of the website, using the SSL as a passport to be able to get anywhere near the admin login area

How would I go about implementing the model above? I pretty much require step by step with the certificate generation and IIS configuration. I'm unsure if I require some sort of windows based authentication on top of the website authentication and some sort of mapping of the certificates back to the windows user.

I'm guessing I'll need dedicated Windows Users for each administrator, with sync'd certificates. Note this is Win2k8 R2 + IIS 7.5, not exchange or domain driven stuff, just a plain server without all the AD crap.

Best Answer

You have two separate issues.

  1. Design a way of generating and maintening your certificates. Typically, that means installing a CA and using it for signing user-generated certificates. It's a rather complex topic but you might want to start by installing and understanding the "Certificate Authority" role in Windows. Do NOT install that on the same machine as your web server, though.
  2. Implementing a Client certificate authentication rule in IIS 7.5. That's actually not too complex to do.

Here are the details on how to setup client certificate authentication in IIS 7.5:

  • In the role manager, install the IIS role service called "IIS client Certificate mapping authentication"
  • Open the IIS manager and select the site or folder you want to secure.
  • Open the "configuration editor" and browse to the "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" section.
  • Set "enabled" to "true".

Now, you got different options (both can be enabled at the same time): many-to-one and one-to-one mapping. See this documentation of how to set it up but, basically, you create a base-64 encoded version of each certificate you want to accept, open it in a text editor, you remove the "begin certificate" and "end certificate" lines, remove all line breaks for it and then create a mapping entry in the configuration editor with the Windows Username and password to use for that cert logon and using the string you just created in the "certificate" field.

Using man-to-one mapping is a bit more complex because you have to specify which field of the client certificate will be used for verifying a client certificate (instead of using the whole certificate) but it can be easier to maintain if you have many users (since you won't need to install every individual certificate on the web server).

Also, know that all certificate you use NEED to be valid on the server: you'll need to install them in the server system's certificate store (not your user, the system's) either in the "trusted People" section (for self-signed and user certificates), in the "Trusted Root CA" (for certificate root) or in the Intermediary Certificate Authority" (for ICAs).

Related Topic