X 509 Certificate

Posted: December 30, 2011 in Asp.net
Tags: , , , ,

SSL basics:

Client Server
From browser Calls server sending the Supported Cipher and hash functions Receive
Receive Select the strongest Cipher and Hash Function and notify Client
Receive Send Digital Signature which contains:

  • Server Name
  • Certificate Authority
  • Public Encryption Key
May or may not verify CA
Encrypt random no. with public encryption key sent by server to generate session keys Server can decrypt messages with its private key
If Server requires client certificate
Server prompts for a certificate, the request includes a list of the certification authorities that the server trusts.
The client then compares this list to the list of certification authorities that the client trusts and creates a list of the ones that match
The client compares that list to the client certificates it has and determines which, if any, certificates have been issued by certification authorities that both the client and the server trust.
The client then sends the public portion of the certificate to the server
The server generally checks to make sure that the certificate is valid and, if no mapping is performed, the communications between the client and the server can continue.

Server Certificate: (Simple)

IIS -> Website -> Edit Binding -> Add -> HTTPS

For SSL protocol, server requires a certificate from a Certificate Authority (CA) so that it can prove to client that the server is who he says it is (IIS 7.5 provides facility of creating Self Signed Certificate for development purpose). SSL is encryption layer over HTTP

Client Certificate: (Mutual)

IIS -> Website -> SSL Settings -> Require SSL -> Client certificates -> Require

To restrict the server to serve only authenticated clients, client certificates are used. Server can map certificate to a client so that no other verification is required.

Client Certificate Basics

Some of the misconceptions that we see on a regular basis are:

  • Client certificates are needed to make SSL work properly.
  • A client certificate that is issued by any certification authority will work with any server.
  • If you issue a client certificate, your Web server will automatically accept it.

The first and perhaps most confusing point is the difference between client certificates and Secure Sockets Layer (SSL) server certificates. Although client certificates and SSL server certificates both use certificates, they are not directly related to each other. SSL server certificates provide encryption and security functionality. Client certificates provide user authentication functionality. If this makes sense, the rest should be easy.

Client certificates are issued to a user by a certification authority. They consist of the public key portion of the certificate and a private key that is held only by the entity to which the certificate is issued. The certification authority may be a well-known public organization that provides certificate services as part of its business, or it could be an internal server that only your company uses. In either case, the client certificate will have certain information that identifies the user either individually or as part of a group.

In IIS, you have the option of ignoring, accepting, or requiring client certificates when a user accesses resources on your server. Ignoring certificates simply means that you are not using them, will not ask the client for one, and will discard one if it is sent to your server. If you choose to accept certificates, your server will prompt for a certificate but will not necessarily deny access if a certificate is not provided. If you require client certificates, the user must supply a valid certificate or the user will receive an error message.

For a certificate to work properly, certain requirements must be met on both the server and the client. Each side has a list of root certification authorities that they trust. When the server prompts for a certificate, the request includes a list of the certification authorities that the server trusts. The client then compares this list to the list of certification authorities that the client trusts and creates a list of the ones that match. Then, the client compares that list to the client certificates it has and determines which, if any, certificates have been issued by certification authorities that both the client and the server trust. Depending on the client, you may see a list of certificates to choose from if there is more than one certification authority that both sides trust. The client then sends the public portion of the certificate to the server. At this point, the server generally checks to make sure that the certificate is valid and, if no mapping is performed, the communications between the client and the server can continue.

This is the most basic functionality of client certificates. At this point, the server knows only that the client has a valid certificate.

Here is where things get interesting. The server can be configured to do a mapping of the certificate to a user account. This can be either a one-to-one mapping, where the specific certificate is mapped to a single user account, or a many-to-one mapping, where the server uses certain fields in the certificate information to map any matching certificate to a designated user account. When a mapping is used, the certificate allows the user to be granted or denied access to resources as a particular user. When using client certificates in this manner, you do not have to use any other authentication method.

_____________________________________________________________________________________

Self Signed CA Certificate

Since we had full control over the environment in which our certificates were going to be used (i.e. on all clients and servers), we wouldn’t have benefited from having a top-tier certification authority (CA) like VeriSign or DigiCert issue our client certificates. That’s why we created our own and self-signed it.

As you may know, a CA certificate is sort of a master certificate that is ultimately trusted and that is used to sign other, lower level certificates. If a lower level certificate is signed by a CA certificate and a given computer trusts the CA that issued the CA certificate, it will implicitly trust the lower level certificate as well. The two certificates — the CA certificate and the lower level certificate — are related in what’s called a certificate chain. One simply derives from the other.

Utilizing a CA certificate for a purpose like ours is extremely useful. A server that is validating a large number of client certificates doesn’t have to individually trust each and every one (usually by installing them all in one of the trusted locations in its certificate store). All it needs to do is install the CA certificate (and only the CA certificate) and leave the rest up to the operating system and IIS.

______________________________________________________________________________

http://www.aspnetwiki.com/configuring-iis-7-with-self-signed-server-and-client-certifi

Overview

I recently had to implement PKI (client certificate) authentication for a project and needed to configure a server and client certificate so that I could do the development. I didn’t want to have to deal with standing up a certificate authority to generate all the certificates. I found that IIS 7 has a really nice feature that allows you to create a self-signed (server) certificate. Here are plenty of articles on this, two that I found helpful were: Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates on Scott Gu’s blog and How to Create a Self Signed Certificate in IIS 7. However, finding information about creating a self-signed client certificate wasn’t as easy. I finally came across a blog that had the answer: IIS 7 and Client Certificates which referenced another article: Configuring One-to-One Client Certificate Mappings.

The articles on creating a Self-Signed Server Certificate are really good, so I’ll focus on documenting my experience with creating a Self-Signed Client Certificate here.

Creating a Self-Signed Client Certificate

Installing the MakeCert Utility

The first step that is mentioned in the IIS 7 and Client Certificates blog is installing the MakeCert utility. The link on the blog takes you to the MSDN doucmentation for the MakeCert utility that provides a link to download the Windows SDK. Here are the links:

I downloaded the web installer for the Windows Development Kit and installed it with the following options:

  • Windows Native Code Development -> Tools
  • .NET Development Tools

I honestly don’t know which one had the MakeCert utility, but atleast I didn’t install the entire SDK.

Creating the Client Certificates

The IIS 7 and Client Certificates blog is pretty good about explaining how to create the client certificates. Here are the commands that I took from the blog and executed in a command line window. In my examples I set the password for everything to the word “password”.

Create the Self Signed CA Certificate And Install it

makecert.exe -r -n "CN=My Personal CA" -pe -sv MyPersonalCA.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -cy authority MyPersonalCA.cer

Create the Client Certificate

makecert.exe -iv MyPersonalCA.pvk -ic MyPersonalCA.cer -n "CN=John Doe" -pe -sv JohnDoe.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -sky exchange JohnDoe.cer -eku 1.3.6.1.5.5.7.3.2

Note: the IIS 7 and Client Certificates blog was created on 24-Jan-2010 and has the client certificate expiring on 21-Jan-2011. When I created the client certificate, I changed the expiration date to 21-Jan-2016

Create the Client PKCS12 Certificate

pvk2pfx.exe -pvk JohnDoe.pvk -spc JohnDoe.cer -pfx JohnDoe.pfx -po password

Step 2 also mentions sending the client certificate and the self-signed CA client certificate to “John Doe” to be installed on his workstation. Since your workstation is the “client” workstation, then you need to install the client certificate.

To install the client certificate:

  1. Launch the Microsoft Management Console (mmc) and add the “Certificates” Snap-in for the current user.
  2. Add the JohnDoe.pfx file to the “Certificates – Current User” -> Personal store.

To install the self-signed client CA certificate:

  1. Launch the Microsoft Management Console (mmc) and add the “Certificates” Snap-in for the local computer.
  2. Add the MyPersonalCA.cer file to the “Certificates (Local Computer)” -> Personal store.
  3. Also add the MyPersonalCA.cer file to the “Certificates (Local Computer)” -> “Trusted Root Certificate Authorities” store.

There are a couple of bullet points in step 3 that are worth doing as soon as you finish Step 2 from the IIS 7 and Client Certificates blog, create the Base-64 encoded version of the client certificate and install the self-signed CA client certificate.

Create the Client Base-64 Certificate
Here is the process taken directly from the IIS 7 and Client Certificates blog:

One way to obtain the Base-64 encoded certificate for John Doe is to install John’s .PFX file, then open the Microsoft Management Console (run mmc.exe, CTRL-M, double click Certificates, Finish, OK, right click on John’s certificate under Personal/Certificates, export without a private key, and pick the Base-64 encoded X.509 (.CER) option).

Configure IIS to use the Client Certificate (this step is required if you want to give a user some rights depending on his Certificate. If all users are treated the same then this step is not required)

In Step 3 of the IIS 7 and Client Certificates blog, you are directed to look at the Configuring One-to-One Client Certificate Mappings article. I had to make a few adjustments here.

  • I am running IIS 7.5, so I already have the IIS Manager installed and did not have to install “IIS 7 Administration Pack Technical Preview 2”.
  • In “Step 1: Getting the Certificate Blob”, this is the Client Base-64 Certificate that was created above. Just follow the instructions for extracting the “certificate blob”. Here is a copy of the instructions:
    1. Right click on your .cer file.
    2. Select Open With… in the context menu
    3. Select Notepad from the list of Other Programs and click OK. [Note: Notepad may be hidden beneath a drop down in the Vista/Windows 2008 list view]
    4. Remove BEGIN CERTIFICATE and END CERTIFICATE——
    5. Format the certificate blob to be a single line.
    6. Save this file as clientCertBlob.txt
  • I followed Step 2 with one minor change. Here is a copy of the instructions:
    1. Start Inetmgr, the IIS 7 Manager UI
    2. Select the SSL web site that is being configured and open Configuration Editor
    3. Type “system.webServer/security/authentication/iisClientCertificateMappingAuthentication” in the Section drop down box.
    4. Select the enabled field and change the value to true
    5. Select the oneToOneCertificateMappingsEnabled property grid entry and change the value to true
    6. Select the oneToOneMappings property grid entry and click Edit Items… in the Actions Task Pane
    7. Click Add in the Collection Editor task list
    8. Copy the single string certificate blob from above and paste it into the certificate field
    9. Set the userName and password that clients will be authenticated as. (Here is the change: I set the userName to: JohnDoe and password to: password)
    10. Set the enabled field to true
    11. Close Collection Editor
    12. Click Apply in the Actions Task Pane [Note: Click Script Generation prior to clicking Apply to get scripts for this process]
  • I followed Step 3 with one minor change. Here is a copy of the instructions:
    1. From within Inetmgr, the IIS 7 Manager UI, select the SSL web site you want to use client certificates
    2. Select the SSL UI module
    3. Under Client certificates: select the Accept radio button. (Here is the change: I selected the Required radio button)
    4. Click Apply in the Actions Task Pane

______________________________________________________________________________

Step 4 was to verify that everything works. However, when I tried to verify that everything works, it didn’t. There was one more step that I had to take. The web browser doesn’t know anything about the client certificate, so I needed to import it into the browser

To add client certificate in browser so that it can present it when server prompts for certificate

For Internet Explorer:

Go to Tools -> “Internet Options” and select the Content tab.

Click on Certificates and import the JohnDoe.pfx file.

In Firefox

Go to Tools -> Options and select the Advanced tab.

Click on “View Certificates” import the JohnDoe.pfx file.

Conclusion

My experience has been that when attempting to configure a workstation, each workstation seems to have a slightly different set of steps. If you run into problems, post a comment here. I’m no expert but I may have some ideas.

References

Useful Links:

http://msdn.microsoft.com/en-us/library/Aa302409

Additional Resources

http://www.kerrywong.com/2006/12/01/using-x509-certificate-with-web-service-in-aspnet/

http://msdn.microsoft.com/en-us/library/bfazk0tb.aspx

http://support.microsoft.com/kb/901183

http://msdn.microsoft.com/en-us/library/Aa302409

http://msdn.microsoft.com/en-us/library/w67h0dw7.aspx

http://msdn.microsoft.com/en-us/library/9z52by6a.aspx

http://support.microsoft.com/kb/895971

http://msdn.microsoft.com/en-us/library/ms996415.aspx

http://www.kerrywong.com/2006/12/23/using-x509-certificate-with-web-service-in-aspnet-update/

http://forums.iis.net/t/1160089.aspx

http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

http://www.aspfree.com/c/a/VB.NET/Securing-Web-Services-with-X509-Certificates/

http://msdn.microsoft.com/en-us/library/ms996415.aspx

Advertisements
Comments
  1. Jorge says:

    Hi, thanks a lot for this post! I tried out the client certificates thing and got it working thanks to his and Ondrejs blog mentioned here!

    Now I have a new problem, I post the question here which I posted on Ondrejs blog, maybe someone knows a solution to this:

    My Webserver is an embedded Win7 machine, with IIS7.5 on it. I did not want to install the Win SDK in there so I generated CA and certificates in another machine and then copied them to the server. I get a 401.1 error when doing this, Trying it in the PC where I generated the files works fine –

    so my question:
    Do you need to generate the files in the same machine wou will be using them?

  2. Ngo Tuan Manh says:

    Hi author,

    Thanks for your post! i am doing with your article!

  3. MADHU MENON says:

    EXCELLENT ARTICLE WITH ALL DETAILS.
    I cannot stop Thanking you for this Article.

    I am trying this for past 1 week.
    You are a real life Saver.
    There is no article for simple process of creating a client certificate authorization on IIS.

    http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/
    The above was the closet article i found. But again i failed and could not proceed. I was back to 403.7 forbidden.

    Everywhere i read, it says install JohnDoe.cer to client, everywhere it mentions to install the client certificate. I was able to see also my Client certificate in Internet Options->content->certificates.

    Still i was stuck with 403. One line saved me from your article
    Click on Certificates and import the JohnDoe.pfx file.

    I saw my client certificate in IE and i was sure, my browser has the certificate.
    It needed to install the PFX file in my IE. This is not mentioned anywhere.

    Thanks again man.

  4. ewolfman says:

    Thanks for the guide. Helped me out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s