Comments on: Client SSL Authentication for Microsoft IIS Part 2: Setting up Mutual Authentication http://securitymusings.com/article/618/client-ssl-authentication-for-microsoft-iis-part-2-setting-up-mutual-authentication Rants and raves from information security professionals Sat, 19 May 2012 23:32:04 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Walt http://securitymusings.com/article/618/client-ssl-authentication-for-microsoft-iis-part-2-setting-up-mutual-authentication/comment-page-1#comment-40446 Walt Mon, 21 Jun 2010 14:42:47 +0000 http://securitymusings.com/?p=618#comment-40446 If all of the trusted issuers are present in the trust list set up in the second set of bullet points, the next things to check are: a) can the client build a trusted certificate chain back to the root certificate? If not, the browser may not see the certificate as valid and b) are the client certificates revoked, expired, etc? If the client certificates are invalid, the browser might also disallow them from being used. Also, since you are using smart cards, you should make sure that when you plug the smart card in, the certificate is being registered in the CAPI store - if the underlying CAPI subsystem doesn't know that the smart card is plugged in, then it won't be aware of the certificate. If all of the trusted issuers are present in the trust list set up in the second set of bullet points, the next things to check are:

a) can the client build a trusted certificate chain back to the root certificate? If not, the browser may not see the certificate as valid

and

b) are the client certificates revoked, expired, etc? If the client certificates are invalid, the browser might also disallow them from being used.

Also, since you are using smart cards, you should make sure that when you plug the smart card in, the certificate is being registered in the CAPI store – if the underlying CAPI subsystem doesn’t know that the smart card is plugged in, then it won’t be aware of the certificate.

]]> By: Beat Kiener http://securitymusings.com/article/618/client-ssl-authentication-for-microsoft-iis-part-2-setting-up-mutual-authentication/comment-page-1#comment-39976 Beat Kiener Fri, 18 Jun 2010 06:58:41 +0000 http://securitymusings.com/?p=618#comment-39976 Very help full article. Now it almost works for me, with one problem: how do I set which are the trusted publishers? I have two client certificates from two different issuers on two different smartcards. The browser only asks for the certificate when I use the smartcard from issuer A, with B it does not show the dialog. How can I tell IIS that it should send issuer B as trusted publisher to the browser in order that the browser will send the certificate from smartcard B? Very help full article. Now it almost works for me, with one problem: how do I set which are the trusted publishers? I have two client certificates from two different issuers on two different smartcards. The browser only asks for the certificate when I use the smartcard from issuer A, with B it does not show the dialog. How can I tell IIS that it should send issuer B as trusted publisher to the browser in order that the browser will send the certificate from smartcard B?

]]>