Professional Web Applications Themes

SSL and certificates - ASP.NET Security

Are client certificates necessary for SSL or just server certificates? The Microsoft help for setting up SSL takes you through creating a server root certificate and another server certificate and then installing each on all of the clients. But other doentation that I have read suggests that SSL only needs server certificates and that client certificates are only needed for certificate authentication. I want to use forms authentication and don't won't to force our customers to deploy client certificates if they don't have too....

  1. #1

    Default SSL and certificates

    Are client certificates necessary for SSL or just server
    certificates?

    The Microsoft help for setting up SSL takes you through
    creating a server root certificate and another server
    certificate and then installing each on all of the
    clients. But other doentation that I have read
    suggests that SSL only needs server certificates and that
    client certificates are only needed for certificate
    authentication. I want to use forms authentication and
    don't won't to force our customers to deploy client
    certificates if they don't have too.
    Kevin Guest

  2. #2

    Default Re: SSL and certificates

    You only need a server certificate for having users authenticate securely
    with forms authentication over a SSL encrypted connection. In this scenario
    the users are authenticated using their username and password, submitted to
    the server over SSL.

    Client certificates is not used for securing the connection between client
    and server, but only to authenticate users. In this kind of scenario the
    users does not submit their username/password for authentication, but
    instead uses their client certificate to authenticate.

    --
    ----
    Regards TMJ
    --------



    "Kevin" <anonymousdiscussions.microsoft.com> wrote in message
    news:0f7f01c3be60$fe7193e0$a301280aphx.gbl...
    > Are client certificates necessary for SSL or just server
    > certificates?
    >
    > The Microsoft help for setting up SSL takes you through
    > creating a server root certificate and another server
    > certificate and then installing each on all of the
    > clients. But other doentation that I have read
    > suggests that SSL only needs server certificates and that
    > client certificates are only needed for certificate
    > authentication. I want to use forms authentication and
    > don't won't to force our customers to deploy client
    > certificates if they don't have too.

    Thomas Møller Jensen Guest

  3. #3

    Default Re: SSL and certificates

    In article <0f7f01c3be60$fe7193e0$a301280aphx.gbl>, "Kevin"
    <anonymousdiscussions.microsoft.com> wrote:
    >Are client certificates necessary for SSL or just server
    >certificates?
    Just a server certificate. However...
    >The Microsoft help for setting up SSL takes you through
    >creating a server root certificate and another server
    >certificate and then installing each on all of the
    >clients.
    The client needs to have some way to believe that the server's certificate
    is genuine. It does that either by trusting the server's certificate, or
    one of the certificates that were used to sign the server's certificate.

    This is where installing the certificates comes in - your client only trusts
    those certificates that it has been told to trust. Internet Explorer ships
    with a few certificates already described as "trusted" - these are generally
    root certification authorities, and IE will implicitly trust any server that
    presents a certificate signed by one of these Trusted Roots.

    To get your server certificate trusted by a client's installation of IE, you
    have to do one of the following:

    1. Get your certificate from a CA that is already a trusted root at the
    client's IE installation.
    2. Have the client install your server's certificate as trusted.
    3. Have the client install as trusted the certificate from the CA that
    issued your server's certificate.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
    --
    Texas Imperial Software | Find us at [url]http://www.wftpd.com[/url] or email
    1602 Harvest Moon Place | [email]aluntexis.com[/email].
    Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
    Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
    Alun Jones [MS MVP] Guest

Similar Threads

  1. user certificates...
    By Unregistered in forum Brainstorming Area
    Replies: 0
    Last Post: December 10th, 04:16 PM
  2. X.509 certificates and HTTPwebrequest
    By Deepak in forum ASP.NET Web Services
    Replies: 2
    Last Post: May 6th, 07:42 PM
  3. ASP.NET and client certificates
    By Craig Humphrey in forum ASP.NET Security
    Replies: 1
    Last Post: April 30th, 08:42 AM
  4. Using client certificates in ASP
    By languy in forum ASP
    Replies: 0
    Last Post: September 14th, 01:51 PM
  5. Need help with SSL and Certificates
    By Matthew Hood in forum ASP.NET Security
    Replies: 0
    Last Post: July 22nd, 06:07 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139