Require SSL certificate

Martin · Martin

Hi,

i am hoping to get some advice on the best way to achieve the following.

I have a website and a security certificate, i install the security
certificate for the site.
from that point on I want to ensure that all visitors to the site are
1. coming over Https
2. have my SSL certificate installed.

I guess that i can examine the server variables collection to ensure that
they are coming over https, however I am unsure of how to determine if they
have my ssl cerificate installed.

any help or pointers to articles of interest is appreciated.

cheers

martin.

Paul Glavich [MVP ASP.NET] · Paul Glavich [MVP ASP.NET]

In your code you can use:-

bool IsUsingSSL;
IsUsingSSL = Request.IsSecureConnection;

This will be true if running under SSL.

Once a web cert is associated with a site, it doesn't need to be installed
into the clients machines, it simply needs to descend from a valid
certification authority root cert. The fact you have requested a cert and
installed it via that request associates it with your site. In the browser,
you can click on the padlock and verify its using your requested
certificate.

--

- Paul Glavich
ASP.NET MVP
ASPInsider ([url]www.aspinsiders.com[/url])

"Martin" <martin_no_spam@martinz.co.nz> wrote in message
news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...

> Hi,
>
> i am hoping to get some advice on the best way to achieve the following.
>
> I have a website and a security certificate, i install the security
> certificate for the site.
> from that point on I want to ensure that all visitors to the site are
> 1. coming over Https
> 2. have my SSL certificate installed.
>
> I guess that i can examine the server variables collection to ensure that
> they are coming over https, however I am unsure of how to determine if

they

> have my ssl cerificate installed.
>
> any help or pointers to articles of interest is appreciated.
>
> cheers
>
> martin.
>
>
>

Martin · Martin

Thanks for that.

The security certifate I have was issued by the organization that I work
for.
we are only planning to distribute it to customers that we want to go to our
secure site so the way I see it we will physically have to give the
certificate to the client and have them install it in their browser
certificate store.

cheers

martin.

"Paul Glavich [MVP ASP.NET]" <glav@aspalliane.com-NOSPAM> wrote in message
news:OSrgsZxTFHA.616@TK2MSFTNGP12.phx.gbl...

> In your code you can use:-
>
> bool IsUsingSSL;
> IsUsingSSL = Request.IsSecureConnection;
>
> This will be true if running under SSL.
>
> Once a web cert is associated with a site, it doesn't need to be installed
> into the clients machines, it simply needs to descend from a valid
> certification authority root cert. The fact you have requested a cert and
> installed it via that request associates it with your site. In the
> browser,
> you can click on the padlock and verify its using your requested
> certificate.
>
>
> --
>
> - Paul Glavich
> ASP.NET MVP
> ASPInsider ([url]www.aspinsiders.com[/url])
>
>
> "Martin" <martin_no_spam@martinz.co.nz> wrote in message
> news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...

>> Hi,
>>
>> i am hoping to get some advice on the best way to achieve the following.
>>
>> I have a website and a security certificate, i install the security
>> certificate for the site.
>> from that point on I want to ensure that all visitors to the site are
>> 1. coming over Https
>> 2. have my SSL certificate installed.
>>
>> I guess that i can examine the server variables collection to ensure that
>> they are coming over https, however I am unsure of how to determine if

> they

>> have my ssl cerificate installed.
>>
>> any help or pointers to articles of interest is appreciated.
>>
>> cheers
>>
>> martin.
>>
>>
>>

>
>

Joe Kaplan \(MVP - ADSI\) · Joe Kaplan \(MVP - ADSI\)

Actually, you should only need to give them the root certificate in the
trust chain the issued your certificate and have all the clients install
that in their trusted roots store. This will allow them to trust your
certificate when they receive it via SSL and should allow you to proceed
without any warnings.

Note that this is not the same thing as a client certificate, as you are not
trying to authenticate your clients with this certificate, you just want
them to trust you.

If this is unacceptable to your clients, then you can always get a
commercial cert that chains to a standard publicly trusted root.

Joe K.

"Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
news:uBSp8P1TFHA.1148@tk2msftngp13.phx.gbl...

> Thanks for that.
>
> The security certifate I have was issued by the organization that I work
> for.
> we are only planning to distribute it to customers that we want to go to
> our secure site so the way I see it we will physically have to give the
> certificate to the client and have them install it in their browser
> certificate store.
>
>
> cheers
>
> martin.
>
>
>
>
>
>
>
> "Paul Glavich [MVP ASP.NET]" <glav@aspalliane.com-NOSPAM> wrote in message
> news:OSrgsZxTFHA.616@TK2MSFTNGP12.phx.gbl...

>> In your code you can use:-
>>
>> bool IsUsingSSL;
>> IsUsingSSL = Request.IsSecureConnection;
>>
>> This will be true if running under SSL.
>>
>> Once a web cert is associated with a site, it doesn't need to be
>> installed
>> into the clients machines, it simply needs to descend from a valid
>> certification authority root cert. The fact you have requested a cert and
>> installed it via that request associates it with your site. In the
>> browser,
>> you can click on the padlock and verify its using your requested
>> certificate.
>>
>>
>> --
>>
>> - Paul Glavich
>> ASP.NET MVP
>> ASPInsider ([url]www.aspinsiders.com[/url])
>>
>>
>> "Martin" <martin_no_spam@martinz.co.nz> wrote in message
>> news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...

>>> Hi,
>>>
>>> i am hoping to get some advice on the best way to achieve the following.
>>>
>>> I have a website and a security certificate, i install the security
>>> certificate for the site.
>>> from that point on I want to ensure that all visitors to the site are
>>> 1. coming over Https
>>> 2. have my SSL certificate installed.
>>>
>>> I guess that i can examine the server variables collection to ensure
>>> that
>>> they are coming over https, however I am unsure of how to determine if

>> they

>>> have my ssl cerificate installed.
>>>
>>> any help or pointers to articles of interest is appreciated.
>>>
>>> cheers
>>>
>>> martin.
>>>
>>>
>>>

>>
>>

>
>

Martin · Martin

Hi joe,

> Note that this is not the same thing as a client certificate, as you are
> not trying to authenticate your clients with this certificate, you just
> want them to trust you.

so is it possible to authticate my client with this certificate by using the
method that Paul suggested

bool IsUsingSSL;
IsUsingSSL = Request.IsSecureConnection;

I am using the certificate for two reasons.
1. to ensure that all communication is secure and done over HTTPS.
2.to actually authenticate the client. I don't want people using this site
would have not been issued with this certificate.

maybe I should be using another method.
I don't actually want to buy a commercial certificate, I am going to have my
company issue it and then distribute it to my clients.

is this a feasible solution that will meet the needs of 1 and 2 above or do
I have to rethink my solution.

many thanks in advance.

martin.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:OrUE5l1TFHA.548@tk2msftngp13.phx.gbl...

> Actually, you should only need to give them the root certificate in the
> trust chain the issued your certificate and have all the clients install
> that in their trusted roots store. This will allow them to trust your
> certificate when they receive it via SSL and should allow you to proceed
> without any warnings.
>
> Note that this is not the same thing as a client certificate, as you are
> not trying to authenticate your clients with this certificate, you just
> want them to trust you.
>
> If this is unacceptable to your clients, then you can always get a
> commercial cert that chains to a standard publicly trusted root.
>
> Joe K.
>
> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
> news:uBSp8P1TFHA.1148@tk2msftngp13.phx.gbl...

>> Thanks for that.
>>
>> The security certifate I have was issued by the organization that I work
>> for.
>> we are only planning to distribute it to customers that we want to go to
>> our secure site so the way I see it we will physically have to give the
>> certificate to the client and have them install it in their browser
>> certificate store.
>>
>>
>> cheers
>>
>> martin.
>>
>>
>>
>>
>>
>>
>>
>> "Paul Glavich [MVP ASP.NET]" <glav@aspalliane.com-NOSPAM> wrote in
>> message news:OSrgsZxTFHA.616@TK2MSFTNGP12.phx.gbl...

>>> In your code you can use:-
>>>
>>> bool IsUsingSSL;
>>> IsUsingSSL = Request.IsSecureConnection;
>>>
>>> This will be true if running under SSL.
>>>
>>> Once a web cert is associated with a site, it doesn't need to be
>>> installed
>>> into the clients machines, it simply needs to descend from a valid
>>> certification authority root cert. The fact you have requested a cert
>>> and
>>> installed it via that request associates it with your site. In the
>>> browser,
>>> you can click on the padlock and verify its using your requested
>>> certificate.
>>>
>>>
>>> --
>>>
>>> - Paul Glavich
>>> ASP.NET MVP
>>> ASPInsider ([url]www.aspinsiders.com[/url])
>>>
>>>
>>> "Martin" <martin_no_spam@martinz.co.nz> wrote in message
>>> news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...
>>>> Hi,
>>>>
>>>> i am hoping to get some advice on the best way to achieve the
>>>> following.
>>>>
>>>> I have a website and a security certificate, i install the security
>>>> certificate for the site.
>>>> from that point on I want to ensure that all visitors to the site are
>>>> 1. coming over Https
>>>> 2. have my SSL certificate installed.
>>>>
>>>> I guess that i can examine the server variables collection to ensure
>>>> that
>>>> they are coming over https, however I am unsure of how to determine if
>>> they
>>>> have my ssl cerificate installed.
>>>>
>>>> any help or pointers to articles of interest is appreciated.
>>>>
>>>> cheers
>>>>
>>>> martin.
>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>

Joe Kaplan \(MVP - ADSI\) · Joe Kaplan \(MVP - ADSI\)

So wait, you want to use the same certifcate for server authentication AND
client authentication? I suppose you could do that if the certificate has
both of the required key usages. I've just never heard of anyone doing that
before. It will need both client and server authentication.

SSL supports server-only authentication and client + server authentication.
If you want to ensure client authentication, you can't just check
IsSecureConnection property. That is only sufficient to determine if there
is SSL with server authentication.

To get client certificates, you need to change the appropriate IIS security
settings in your SSL config to require client certificates. Then, you will
be able to see the authenticated client certificates via the
Request.ClientCertificate property. You can then examine the certificate to
make sure it is whatever you want it to be.

HTH,

Joe K.

"Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
news:uBSSEE3TFHA.1896@TK2MSFTNGP14.phx.gbl...

> Hi joe,
>

>> Note that this is not the same thing as a client certificate, as you are
>> not trying to authenticate your clients with this certificate, you just
>> want them to trust you.

>
> so is it possible to authticate my client with this certificate by using
> the method that Paul suggested
>
> bool IsUsingSSL;
> IsUsingSSL = Request.IsSecureConnection;
>
> I am using the certificate for two reasons.
> 1. to ensure that all communication is secure and done over HTTPS.
> 2.to actually authenticate the client. I don't want people using this site
> would have not been issued with this certificate.
>
> maybe I should be using another method.
> I don't actually want to buy a commercial certificate, I am going to have
> my company issue it and then distribute it to my clients.
>
> is this a feasible solution that will meet the needs of 1 and 2 above or
> do I have to rethink my solution.
>
> many thanks in advance.
>
> martin.
>
>
>
>
>
>
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:OrUE5l1TFHA.548@tk2msftngp13.phx.gbl...

>> Actually, you should only need to give them the root certificate in the
>> trust chain the issued your certificate and have all the clients install
>> that in their trusted roots store. This will allow them to trust your
>> certificate when they receive it via SSL and should allow you to proceed
>> without any warnings.
>>
>> Note that this is not the same thing as a client certificate, as you are
>> not trying to authenticate your clients with this certificate, you just
>> want them to trust you.
>>
>> If this is unacceptable to your clients, then you can always get a
>> commercial cert that chains to a standard publicly trusted root.
>>
>> Joe K.
>>
>> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
>> news:uBSp8P1TFHA.1148@tk2msftngp13.phx.gbl...

>>> Thanks for that.
>>>
>>> The security certifate I have was issued by the organization that I work
>>> for.
>>> we are only planning to distribute it to customers that we want to go to
>>> our secure site so the way I see it we will physically have to give the
>>> certificate to the client and have them install it in their browser
>>> certificate store.
>>>
>>>
>>> cheers
>>>
>>> martin.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> "Paul Glavich [MVP ASP.NET]" <glav@aspalliane.com-NOSPAM> wrote in
>>> message news:OSrgsZxTFHA.616@TK2MSFTNGP12.phx.gbl...
>>>> In your code you can use:-
>>>>
>>>> bool IsUsingSSL;
>>>> IsUsingSSL = Request.IsSecureConnection;
>>>>
>>>> This will be true if running under SSL.
>>>>
>>>> Once a web cert is associated with a site, it doesn't need to be
>>>> installed
>>>> into the clients machines, it simply needs to descend from a valid
>>>> certification authority root cert. The fact you have requested a cert
>>>> and
>>>> installed it via that request associates it with your site. In the
>>>> browser,
>>>> you can click on the padlock and verify its using your requested
>>>> certificate.
>>>>
>>>>
>>>> --
>>>>
>>>> - Paul Glavich
>>>> ASP.NET MVP
>>>> ASPInsider ([url]www.aspinsiders.com[/url])
>>>>
>>>>
>>>> "Martin" <martin_no_spam@martinz.co.nz> wrote in message
>>>> news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> i am hoping to get some advice on the best way to achieve the
>>>>> following.
>>>>>
>>>>> I have a website and a security certificate, i install the security
>>>>> certificate for the site.
>>>>> from that point on I want to ensure that all visitors to the site are
>>>>> 1. coming over Https
>>>>> 2. have my SSL certificate installed.
>>>>>
>>>>> I guess that i can examine the server variables collection to ensure
>>>>> that
>>>>> they are coming over https, however I am unsure of how to determine if
>>>> they
>>>>> have my ssl cerificate installed.
>>>>>
>>>>> any help or pointers to articles of interest is appreciated.
>>>>>
>>>>> cheers
>>>>>
>>>>> martin.
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>

Martin · Martin

Hi joe,

so what would you say is the best way for my server to authentication a
client.
I actually want to authenticate the client machine and not the actual user.
I just thought that ensuring that a certificate was installed on the machine
was enough for me to validate it.
I though about only granting access by IP address however if an organisation
only has one public IP address but supports many clients within its
internal domain then each of those clients will effectivly appear to have
the same IP address and I don't want all machine to be autheticated.

any suggestions on how to accomplish client authentication are welcome.

cheers

martin.

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:O1RSC64TFHA.1040@TK2MSFTNGP10.phx.gbl...

> So wait, you want to use the same certifcate for server authentication AND
> client authentication? I suppose you could do that if the certificate has
> both of the required key usages. I've just never heard of anyone doing
> that before. It will need both client and server authentication.
>
> SSL supports server-only authentication and client + server
> authentication. If you want to ensure client authentication, you can't
> just check IsSecureConnection property. That is only sufficient to
> determine if there is SSL with server authentication.
>
> To get client certificates, you need to change the appropriate IIS
> security settings in your SSL config to require client certificates.
> Then, you will be able to see the authenticated client certificates via
> the Request.ClientCertificate property. You can then examine the
> certificate to make sure it is whatever you want it to be.
>
> HTH,
>
> Joe K.
>
> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
> news:uBSSEE3TFHA.1896@TK2MSFTNGP14.phx.gbl...

>> Hi joe,
>>

>>> Note that this is not the same thing as a client certificate, as you are
>>> not trying to authenticate your clients with this certificate, you just
>>> want them to trust you.

>>
>> so is it possible to authticate my client with this certificate by using
>> the method that Paul suggested
>>
>> bool IsUsingSSL;
>> IsUsingSSL = Request.IsSecureConnection;
>>
>> I am using the certificate for two reasons.
>> 1. to ensure that all communication is secure and done over HTTPS.
>> 2.to actually authenticate the client. I don't want people using this
>> site would have not been issued with this certificate.
>>
>> maybe I should be using another method.
>> I don't actually want to buy a commercial certificate, I am going to have
>> my company issue it and then distribute it to my clients.
>>
>> is this a feasible solution that will meet the needs of 1 and 2 above or
>> do I have to rethink my solution.
>>
>> many thanks in advance.
>>
>> martin.
>>
>>
>>
>>
>>
>>
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:OrUE5l1TFHA.548@tk2msftngp13.phx.gbl...

>>> Actually, you should only need to give them the root certificate in the
>>> trust chain the issued your certificate and have all the clients install
>>> that in their trusted roots store. This will allow them to trust your
>>> certificate when they receive it via SSL and should allow you to proceed
>>> without any warnings.
>>>
>>> Note that this is not the same thing as a client certificate, as you are
>>> not trying to authenticate your clients with this certificate, you just
>>> want them to trust you.
>>>
>>> If this is unacceptable to your clients, then you can always get a
>>> commercial cert that chains to a standard publicly trusted root.
>>>
>>> Joe K.
>>>
>>> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
>>> news:uBSp8P1TFHA.1148@tk2msftngp13.phx.gbl...
>>>> Thanks for that.
>>>>
>>>> The security certifate I have was issued by the organization that I
>>>> work for.
>>>> we are only planning to distribute it to customers that we want to go
>>>> to our secure site so the way I see it we will physically have to give
>>>> the certificate to the client and have them install it in their browser
>>>> certificate store.
>>>>
>>>>
>>>> cheers
>>>>
>>>> martin.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> "Paul Glavich [MVP ASP.NET]" <glav@aspalliane.com-NOSPAM> wrote in
>>>> message news:OSrgsZxTFHA.616@TK2MSFTNGP12.phx.gbl...
>>>>> In your code you can use:-
>>>>>
>>>>> bool IsUsingSSL;
>>>>> IsUsingSSL = Request.IsSecureConnection;
>>>>>
>>>>> This will be true if running under SSL.
>>>>>
>>>>> Once a web cert is associated with a site, it doesn't need to be
>>>>> installed
>>>>> into the clients machines, it simply needs to descend from a valid
>>>>> certification authority root cert. The fact you have requested a cert
>>>>> and
>>>>> installed it via that request associates it with your site. In the
>>>>> browser,
>>>>> you can click on the padlock and verify its using your requested
>>>>> certificate.
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> - Paul Glavich
>>>>> ASP.NET MVP
>>>>> ASPInsider ([url]www.aspinsiders.com[/url])
>>>>>
>>>>>
>>>>> "Martin" <martin_no_spam@martinz.co.nz> wrote in message
>>>>> news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...
>>>>>> Hi,
>>>>>>
>>>>>> i am hoping to get some advice on the best way to achieve the
>>>>>> following.
>>>>>>
>>>>>> I have a website and a security certificate, i install the security
>>>>>> certificate for the site.
>>>>>> from that point on I want to ensure that all visitors to the site are
>>>>>> 1. coming over Https
>>>>>> 2. have my SSL certificate installed.
>>>>>>
>>>>>> I guess that i can examine the server variables collection to ensure
>>>>>> that
>>>>>> they are coming over https, however I am unsure of how to determine
>>>>>> if
>>>>> they
>>>>>> have my ssl cerificate installed.
>>>>>>
>>>>>> any help or pointers to articles of interest is appreciated.
>>>>>>
>>>>>> cheers
>>>>>>
>>>>>> martin.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>

Dominick Baier [DevelopMentor] · Dominick Baier [DevelopMentor]

Hello Martin,

use client certificates -

the server needs a server cert - thats prereq for SSL
the issue a client cert for every client - this cert gets installed on the
client machines

in IIS configure to require SSL and require certs - with a CTL (cert trust
list) you can configure a pattern which client certs should be trustworthy
- e.g. every client cert that comes from a specific CA.

this satisfies:

everyone uses SSL
only specific machines can connect
(and you can even query the client identity through the cert)

HTH

---------------------------------------
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

> Hi joe,
>
> so what would you say is the best way for my server to authentication
> a
> client.
> I actually want to authenticate the client machine and not the actual
> user.
> I just thought that ensuring that a certificate was installed on the
> machine
> was enough for me to validate it.
> I though about only granting access by IP address however if an
> organisation
> only has one public IP address but supports many clients within its
> internal domain then each of those clients will effectivly appear to
> have
> the same IP address and I don't want all machine to be autheticated.
> any suggestions on how to accomplish client authentication are
> welcome.
>
> cheers
>
> martin.
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> wrote in message news:O1RSC64TFHA.1040@TK2MSFTNGP10.phx.gbl...
>

>> So wait, you want to use the same certifcate for server
>> authentication AND client authentication? I suppose you could do
>> that if the certificate has both of the required key usages. I've
>> just never heard of anyone doing that before. It will need both
>> client and server authentication.
>>
>> SSL supports server-only authentication and client + server
>> authentication. If you want to ensure client authentication, you
>> can't just check IsSecureConnection property. That is only
>> sufficient to determine if there is SSL with server authentication.
>>
>> To get client certificates, you need to change the appropriate IIS
>> security settings in your SSL config to require client certificates.
>> Then, you will be able to see the authenticated client certificates
>> via the Request.ClientCertificate property. You can then examine the
>> certificate to make sure it is whatever you want it to be.
>>
>> HTH,
>>
>> Joe K.
>>
>> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
>> news:uBSSEE3TFHA.1896@TK2MSFTNGP14.phx.gbl...
>>

>>> Hi joe,
>>>
>>>> Note that this is not the same thing as a client certificate, as
>>>> you are not trying to authenticate your clients with this
>>>> certificate, you just want them to trust you.
>>>>
>>> so is it possible to authticate my client with this certificate by
>>> using the method that Paul suggested
>>>
>>> bool IsUsingSSL;
>>> IsUsingSSL = Request.IsSecureConnection;
>>> I am using the certificate for two reasons.
>>> 1. to ensure that all communication is secure and done over HTTPS.
>>> 2.to actually authenticate the client. I don't want people using
>>> this
>>> site would have not been issued with this certificate.
>>> maybe I should be using another method.
>>> I don't actually want to buy a commercial certificate, I am going to
>>> have
>>> my company issue it and then distribute it to my clients.
>>> is this a feasible solution that will meet the needs of 1 and 2
>>> above or do I have to rethink my solution.
>>>
>>> many thanks in advance.
>>>
>>> martin.
>>>
>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>>> wrote in message news:OrUE5l1TFHA.548@tk2msftngp13.phx.gbl...
>>>
>>>> Actually, you should only need to give them the root certificate in
>>>> the trust chain the issued your certificate and have all the
>>>> clients install that in their trusted roots store. This will allow
>>>> them to trust your certificate when they receive it via SSL and
>>>> should allow you to proceed without any warnings.
>>>>
>>>> Note that this is not the same thing as a client certificate, as
>>>> you are not trying to authenticate your clients with this
>>>> certificate, you just want them to trust you.
>>>>
>>>> If this is unacceptable to your clients, then you can always get a
>>>> commercial cert that chains to a standard publicly trusted root.
>>>>
>>>> Joe K.
>>>>
>>>> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
>>>> news:uBSp8P1TFHA.1148@tk2msftngp13.phx.gbl...
>>>>
>>>>> Thanks for that.
>>>>>
>>>>> The security certifate I have was issued by the organization that
>>>>> I
>>>>> work for.
>>>>> we are only planning to distribute it to customers that we want to
>>>>> go
>>>>> to our secure site so the way I see it we will physically have to
>>>>> give
>>>>> the certificate to the client and have them install it in their
>>>>> browser
>>>>> certificate store.
>>>>> cheers
>>>>>
>>>>> martin.
>>>>>
>>>>> "Paul Glavich [MVP ASP.NET]" <glav@aspalliane.com-NOSPAM> wrote in
>>>>> message news:OSrgsZxTFHA.616@TK2MSFTNGP12.phx.gbl...
>>>>>
>>>>>> In your code you can use:-
>>>>>>
>>>>>> bool IsUsingSSL;
>>>>>> IsUsingSSL = Request.IsSecureConnection;
>>>>>> This will be true if running under SSL.
>>>>>>
>>>>>> Once a web cert is associated with a site, it doesn't need to be
>>>>>> installed
>>>>>> into the clients machines, it simply needs to descend from a
>>>>>> valid
>>>>>> certification authority root cert. The fact you have requested a
>>>>>> cert
>>>>>> and
>>>>>> installed it via that request associates it with your site. In
>>>>>> the
>>>>>> browser,
>>>>>> you can click on the padlock and verify its using your requested
>>>>>> certificate.
>>>>>> --
>>>>>>
>>>>>> - Paul Glavich
>>>>>> ASP.NET MVP
>>>>>> ASPInsider ([url]www.aspinsiders.com[/url])
>>>>>> "Martin" <martin_no_spam@martinz.co.nz> wrote in message
>>>>>> news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> i am hoping to get some advice on the best way to achieve the
>>>>>>> following.
>>>>>>>
>>>>>>> I have a website and a security certificate, i install the
>>>>>>> security
>>>>>>> certificate for the site.
>>>>>>> from that point on I want to ensure that all visitors to the
>>>>>>> site are
>>>>>>> 1. coming over Https
>>>>>>> 2. have my SSL certificate installed.
>>>>>>> I guess that i can examine the server variables collection to
>>>>>>> ensure
>>>>>>> that
>>>>>>> they are coming over https, however I am unsure of how to
>>>>>>> determine
>>>>>>> if
>>>>>> they
>>>>>>
>>>>>>> have my ssl cerificate installed.
>>>>>>>
>>>>>>> any help or pointers to articles of interest is appreciated.
>>>>>>>
>>>>>>> cheers
>>>>>>>
>>>>>>> martin.
>>>>>>>

Joe Kaplan \(MVP - ADSI\) · Joe Kaplan \(MVP - ADSI\)

Agreed. That is essentially what I was trying to suggest.

I think it is better to have separate client certificates from server
certificates, if possible. Ideally, you would have separate client
certificates for each client, but you could potentially use the same one for
all clients if you don't need to differentiate them.

If the certs are issued from the same CA, then installing the trusted root
certicate for it should allow your clients to trust both the server and
client certificate, so that is convenient.

Joe K.

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:333371632507008524798160@news.microsoft.com.. .

> Hello Martin,
>
> use client certificates -
> the server needs a server cert - thats prereq for SSL
> the issue a client cert for every client - this cert gets installed on the
> client machines
>
> in IIS configure to require SSL and require certs - with a CTL (cert trust
> list) you can configure a pattern which client certs should be
> trustworthy - e.g. every client cert that comes from a specific CA.
>
> this satisfies:
>
> everyone uses SSL
> only specific machines can connect
> (and you can even query the client identity through the cert)
>
> HTH
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> [url]http://www.leastprivilege.com[/url]
>

>> Hi joe,
>>
>> so what would you say is the best way for my server to authentication
>> a
>> client.
>> I actually want to authenticate the client machine and not the actual
>> user.
>> I just thought that ensuring that a certificate was installed on the
>> machine
>> was enough for me to validate it.
>> I though about only granting access by IP address however if an
>> organisation
>> only has one public IP address but supports many clients within its
>> internal domain then each of those clients will effectivly appear to
>> have
>> the same IP address and I don't want all machine to be autheticated.
>> any suggestions on how to accomplish client authentication are
>> welcome.
>>
>> cheers
>>
>> martin.
>>
>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>> wrote in message news:O1RSC64TFHA.1040@TK2MSFTNGP10.phx.gbl...
>>

>>> So wait, you want to use the same certifcate for server
>>> authentication AND client authentication? I suppose you could do
>>> that if the certificate has both of the required key usages. I've
>>> just never heard of anyone doing that before. It will need both
>>> client and server authentication.
>>>
>>> SSL supports server-only authentication and client + server
>>> authentication. If you want to ensure client authentication, you
>>> can't just check IsSecureConnection property. That is only
>>> sufficient to determine if there is SSL with server authentication.
>>>
>>> To get client certificates, you need to change the appropriate IIS
>>> security settings in your SSL config to require client certificates.
>>> Then, you will be able to see the authenticated client certificates
>>> via the Request.ClientCertificate property. You can then examine the
>>> certificate to make sure it is whatever you want it to be.
>>>
>>> HTH,
>>>
>>> Joe K.
>>>
>>> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
>>> news:uBSSEE3TFHA.1896@TK2MSFTNGP14.phx.gbl...
>>>
>>>> Hi joe,
>>>>
>>>>> Note that this is not the same thing as a client certificate, as
>>>>> you are not trying to authenticate your clients with this
>>>>> certificate, you just want them to trust you.
>>>>>
>>>> so is it possible to authticate my client with this certificate by
>>>> using the method that Paul suggested
>>>>
>>>> bool IsUsingSSL;
>>>> IsUsingSSL = Request.IsSecureConnection;
>>>> I am using the certificate for two reasons.
>>>> 1. to ensure that all communication is secure and done over HTTPS.
>>>> 2.to actually authenticate the client. I don't want people using
>>>> this
>>>> site would have not been issued with this certificate.
>>>> maybe I should be using another method.
>>>> I don't actually want to buy a commercial certificate, I am going to
>>>> have
>>>> my company issue it and then distribute it to my clients.
>>>> is this a feasible solution that will meet the needs of 1 and 2
>>>> above or do I have to rethink my solution.
>>>>
>>>> many thanks in advance.
>>>>
>>>> martin.
>>>>
>>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
>>>> wrote in message news:OrUE5l1TFHA.548@tk2msftngp13.phx.gbl...
>>>>
>>>>> Actually, you should only need to give them the root certificate in
>>>>> the trust chain the issued your certificate and have all the
>>>>> clients install that in their trusted roots store. This will allow
>>>>> them to trust your certificate when they receive it via SSL and
>>>>> should allow you to proceed without any warnings.
>>>>>
>>>>> Note that this is not the same thing as a client certificate, as
>>>>> you are not trying to authenticate your clients with this
>>>>> certificate, you just want them to trust you.
>>>>>
>>>>> If this is unacceptable to your clients, then you can always get a
>>>>> commercial cert that chains to a standard publicly trusted root.
>>>>>
>>>>> Joe K.
>>>>>
>>>>> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
>>>>> news:uBSp8P1TFHA.1148@tk2msftngp13.phx.gbl...
>>>>>
>>>>>> Thanks for that.
>>>>>>
>>>>>> The security certifate I have was issued by the organization that
>>>>>> I
>>>>>> work for.
>>>>>> we are only planning to distribute it to customers that we want to
>>>>>> go
>>>>>> to our secure site so the way I see it we will physically have to
>>>>>> give
>>>>>> the certificate to the client and have them install it in their
>>>>>> browser
>>>>>> certificate store.
>>>>>> cheers
>>>>>>
>>>>>> martin.
>>>>>>
>>>>>> "Paul Glavich [MVP ASP.NET]" <glav@aspalliane.com-NOSPAM> wrote in
>>>>>> message news:OSrgsZxTFHA.616@TK2MSFTNGP12.phx.gbl...
>>>>>>
>>>>>>> In your code you can use:-
>>>>>>>
>>>>>>> bool IsUsingSSL;
>>>>>>> IsUsingSSL = Request.IsSecureConnection;
>>>>>>> This will be true if running under SSL.
>>>>>>>
>>>>>>> Once a web cert is associated with a site, it doesn't need to be
>>>>>>> installed
>>>>>>> into the clients machines, it simply needs to descend from a
>>>>>>> valid
>>>>>>> certification authority root cert. The fact you have requested a
>>>>>>> cert
>>>>>>> and
>>>>>>> installed it via that request associates it with your site. In
>>>>>>> the
>>>>>>> browser,
>>>>>>> you can click on the padlock and verify its using your requested
>>>>>>> certificate.
>>>>>>> --
>>>>>>>
>>>>>>> - Paul Glavich
>>>>>>> ASP.NET MVP
>>>>>>> ASPInsider ([url]www.aspinsiders.com[/url])
>>>>>>> "Martin" <martin_no_spam@martinz.co.nz> wrote in message
>>>>>>> news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> i am hoping to get some advice on the best way to achieve the
>>>>>>>> following.
>>>>>>>>
>>>>>>>> I have a website and a security certificate, i install the
>>>>>>>> security
>>>>>>>> certificate for the site.
>>>>>>>> from that point on I want to ensure that all visitors to the
>>>>>>>> site are
>>>>>>>> 1. coming over Https
>>>>>>>> 2. have my SSL certificate installed.
>>>>>>>> I guess that i can examine the server variables collection to
>>>>>>>> ensure
>>>>>>>> that
>>>>>>>> they are coming over https, however I am unsure of how to
>>>>>>>> determine
>>>>>>>> if
>>>>>>> they
>>>>>>>
>>>>>>>> have my ssl cerificate installed.
>>>>>>>>
>>>>>>>> any help or pointers to articles of interest is appreciated.
>>>>>>>>
>>>>>>>> cheers
>>>>>>>>
>>>>>>>> martin.
>>>>>>>>

>
>
>

Martin · Martin

Thanks for your suggestions guys..

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:uRXAFfAUFHA.3584@TK2MSFTNGP14.phx.gbl...

> Agreed. That is essentially what I was trying to suggest.
>
> I think it is better to have separate client certificates from server
> certificates, if possible. Ideally, you would have separate client
> certificates for each client, but you could potentially use the same one

for

> all clients if you don't need to differentiate them.
>
> If the certs are issued from the same CA, then installing the trusted root
> certicate for it should allow your clients to trust both the server and
> client certificate, so that is convenient.
>
> Joe K.
>
> "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
> wrote in message news:333371632507008524798160@news.microsoft.com.. .

> > Hello Martin,
> >
> > use client certificates -
> > the server needs a server cert - thats prereq for SSL
> > the issue a client cert for every client - this cert gets installed on

the

> > client machines
> >
> > in IIS configure to require SSL and require certs - with a CTL (cert

trust

> > list) you can configure a pattern which client certs should be
> > trustworthy - e.g. every client cert that comes from a specific CA.
> >
> > this satisfies:
> >
> > everyone uses SSL
> > only specific machines can connect
> > (and you can even query the client identity through the cert)
> >
> > HTH
> >
> > ---------------------------------------
> > Dominick Baier - DevelopMentor
> > [url]http://www.leastprivilege.com[/url]
> >

> >> Hi joe,
> >>
> >> so what would you say is the best way for my server to authentication
> >> a
> >> client.
> >> I actually want to authenticate the client machine and not the actual
> >> user.
> >> I just thought that ensuring that a certificate was installed on the
> >> machine
> >> was enough for me to validate it.
> >> I though about only granting access by IP address however if an
> >> organisation
> >> only has one public IP address but supports many clients within its
> >> internal domain then each of those clients will effectivly appear to
> >> have
> >> the same IP address and I don't want all machine to be autheticated.
> >> any suggestions on how to accomplish client authentication are
> >> welcome.
> >>
> >> cheers
> >>
> >> martin.
> >>
> >> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> >> wrote in message news:O1RSC64TFHA.1040@TK2MSFTNGP10.phx.gbl...
> >>
> >>> So wait, you want to use the same certifcate for server
> >>> authentication AND client authentication? I suppose you could do
> >>> that if the certificate has both of the required key usages. I've
> >>> just never heard of anyone doing that before. It will need both
> >>> client and server authentication.
> >>>
> >>> SSL supports server-only authentication and client + server
> >>> authentication. If you want to ensure client authentication, you
> >>> can't just check IsSecureConnection property. That is only
> >>> sufficient to determine if there is SSL with server authentication.
> >>>
> >>> To get client certificates, you need to change the appropriate IIS
> >>> security settings in your SSL config to require client certificates.
> >>> Then, you will be able to see the authenticated client certificates
> >>> via the Request.ClientCertificate property. You can then examine the
> >>> certificate to make sure it is whatever you want it to be.
> >>>
> >>> HTH,
> >>>
> >>> Joe K.
> >>>
> >>> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
> >>> news:uBSSEE3TFHA.1896@TK2MSFTNGP14.phx.gbl...
> >>>
> >>>> Hi joe,
> >>>>
> >>>>> Note that this is not the same thing as a client certificate, as
> >>>>> you are not trying to authenticate your clients with this
> >>>>> certificate, you just want them to trust you.
> >>>>>
> >>>> so is it possible to authticate my client with this certificate by
> >>>> using the method that Paul suggested
> >>>>
> >>>> bool IsUsingSSL;
> >>>> IsUsingSSL = Request.IsSecureConnection;
> >>>> I am using the certificate for two reasons.
> >>>> 1. to ensure that all communication is secure and done over HTTPS.
> >>>> 2.to actually authenticate the client. I don't want people using
> >>>> this
> >>>> site would have not been issued with this certificate.
> >>>> maybe I should be using another method.
> >>>> I don't actually want to buy a commercial certificate, I am going to
> >>>> have
> >>>> my company issue it and then distribute it to my clients.
> >>>> is this a feasible solution that will meet the needs of 1 and 2
> >>>> above or do I have to rethink my solution.
> >>>>
> >>>> many thanks in advance.
> >>>>
> >>>> martin.
> >>>>
> >>>> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> >>>> wrote in message news:OrUE5l1TFHA.548@tk2msftngp13.phx.gbl...
> >>>>
> >>>>> Actually, you should only need to give them the root certificate in
> >>>>> the trust chain the issued your certificate and have all the
> >>>>> clients install that in their trusted roots store. This will allow
> >>>>> them to trust your certificate when they receive it via SSL and
> >>>>> should allow you to proceed without any warnings.
> >>>>>
> >>>>> Note that this is not the same thing as a client certificate, as
> >>>>> you are not trying to authenticate your clients with this
> >>>>> certificate, you just want them to trust you.
> >>>>>
> >>>>> If this is unacceptable to your clients, then you can always get a
> >>>>> commercial cert that chains to a standard publicly trusted root.
> >>>>>
> >>>>> Joe K.
> >>>>>
> >>>>> "Martin" <martin_NO_SPAM_WANTED@martinz.co.nz> wrote in message
> >>>>> news:uBSp8P1TFHA.1148@tk2msftngp13.phx.gbl...
> >>>>>
> >>>>>> Thanks for that.
> >>>>>>
> >>>>>> The security certifate I have was issued by the organization that
> >>>>>> I
> >>>>>> work for.
> >>>>>> we are only planning to distribute it to customers that we want to
> >>>>>> go
> >>>>>> to our secure site so the way I see it we will physically have to
> >>>>>> give
> >>>>>> the certificate to the client and have them install it in their
> >>>>>> browser
> >>>>>> certificate store.
> >>>>>> cheers
> >>>>>>
> >>>>>> martin.
> >>>>>>
> >>>>>> "Paul Glavich [MVP ASP.NET]" <glav@aspalliane.com-NOSPAM> wrote in
> >>>>>> message news:OSrgsZxTFHA.616@TK2MSFTNGP12.phx.gbl...
> >>>>>>
> >>>>>>> In your code you can use:-
> >>>>>>>
> >>>>>>> bool IsUsingSSL;
> >>>>>>> IsUsingSSL = Request.IsSecureConnection;
> >>>>>>> This will be true if running under SSL.
> >>>>>>>
> >>>>>>> Once a web cert is associated with a site, it doesn't need to be
> >>>>>>> installed
> >>>>>>> into the clients machines, it simply needs to descend from a
> >>>>>>> valid
> >>>>>>> certification authority root cert. The fact you have requested a
> >>>>>>> cert
> >>>>>>> and
> >>>>>>> installed it via that request associates it with your site. In
> >>>>>>> the
> >>>>>>> browser,
> >>>>>>> you can click on the padlock and verify its using your requested
> >>>>>>> certificate.
> >>>>>>> --
> >>>>>>>
> >>>>>>> - Paul Glavich
> >>>>>>> ASP.NET MVP
> >>>>>>> ASPInsider ([url]www.aspinsiders.com[/url])
> >>>>>>> "Martin" <martin_no_spam@martinz.co.nz> wrote in message
> >>>>>>> news:e12$NvuTFHA.3544@TK2MSFTNGP12.phx.gbl...
> >>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> i am hoping to get some advice on the best way to achieve the
> >>>>>>>> following.
> >>>>>>>>
> >>>>>>>> I have a website and a security certificate, i install the
> >>>>>>>> security
> >>>>>>>> certificate for the site.
> >>>>>>>> from that point on I want to ensure that all visitors to the
> >>>>>>>> site are
> >>>>>>>> 1. coming over Https
> >>>>>>>> 2. have my SSL certificate installed.
> >>>>>>>> I guess that i can examine the server variables collection to
> >>>>>>>> ensure
> >>>>>>>> that
> >>>>>>>> they are coming over https, however I am unsure of how to
> >>>>>>>> determine
> >>>>>>>> if
> >>>>>>> they
> >>>>>>>
> >>>>>>>> have my ssl cerificate installed.
> >>>>>>>>
> >>>>>>>> any help or pointers to articles of interest is appreciated.
> >>>>>>>>
> >>>>>>>> cheers
> >>>>>>>>
> >>>>>>>> martin.
> >>>>>>>>

> >
> >
> >

>
>

Require SSL certificate

Thread Tools

Display

Require SSL certificate

Similar Questions and Discussions

Access denied when IIS set to require client certificate

#25782 [Opn->Bgs]: require( 'require.php' ) crashing Apache 1.3.28

#25782 [Fbk->Opn]: require( 'require.php' ) crashing Apache 1.3.28

#25782 [Opn->Fbk]: require( 'require.php' ) crashing Apache 1.3.28

#25782 [NEW]: require( 'require.php' ) crashing Apache 1.3.28

Re: Require SSL certificate

Re: Require SSL certificate

Re: Require SSL certificate

Re: Require SSL certificate

Re: Require SSL certificate

Re: Require SSL certificate

Re: Require SSL certificate

Re: Require SSL certificate

Re: Require SSL certificate

Posting Permissions