Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Client Side Certificate

Reply
Thread Tools

Client Side Certificate

 
 
A.M
Guest
Posts: n/a
 
      04-30-2004
Hi,

Regarding Microsoft Knowledge Base Article : 315588, We have 60 clients for
our ASP.NET application.
Do we need to buy an SSL Key from Verisign.com for each client to have
client side certificate?

Thanks,
Allan


 
Reply With Quote
 
 
 
 
A.M
Guest
Posts: n/a
 
      04-30-2004
Thanks for help.

Those 60 clients are our employee, so we define who they trust! The are
mobile users and they use internet to connect to office.

Do we need to open that certificate server to public internet?

Allan




"(E-Mail Removed)" <(E-Mail Removed)> wrote
in message news:(E-Mail Removed)...
> One option is to setup your on Certificate Server and issue your own

certificates. This is an install option in Windows 2000 Server and
later.(Perhaps in earlier OSs but this is what I'm running.) This is viable
if the 60 clients have reason to "trust" your organization as a root
certificate authority. You can also issue your own server certificate as
well. This works well if trust is established with your clients. This
whole scheme depends upon the degree of trust in the certificate authority,
if you don't trust the CA, don't install their certificates!
>
> Eagle



 
Reply With Quote
 
 
 
 
EagleRed@HighFlyingBirds.com
Guest
Posts: n/a
 
      04-30-2004
In the scenario you describe you would not expose your certificate server to the public internet. This would be done only if you are going to service certificate requests from the general public, like Verisign and other do. Read the Windows documentation on setting up a certificate server. The basics aren't difficult, the details can get messy with things like custom policies. You can issue your own certs and have the employess install them in their personal certificate stores.
 
Reply With Quote
 
EagleRed@HighFlyingBirds.com
Guest
Posts: n/a
 
      04-30-2004
Check the "testing SSL" thread below.
 
Reply With Quote
 
WJ
Guest
Posts: n/a
 
      05-02-2004
"A.M" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for help.
>
> Those 60 clients are our employee, so we define who they trust! The are
> mobile users and they use internet to connect to office.


I would not use client certificate in this case. Since there are only 60
employees, why not use Integrated Windows Authentication in IIS ? This
method also allows your 60 clients to logon to your asp.Net site from
anywhere using any devices, all they need is their logon ID & password. The
certificate method only allows you to work on the device where the
certificate is installed originally. In short, certificate is good for
signing documents, this is where it is most used.

John


 
Reply With Quote
 
Paul Glavich [MVP - ASP.NET]
Guest
Posts: n/a
 
      05-02-2004
Note that while in theory all these answers are correct, setting up your own
CA and issuing your own client certs does have its quirks. Firstly, you need
to make sure that the "Certificate revocation List" (CRL) is installed on
the web server that you are using your clients certs against. Failure to do
this will mean that the server cannot access the CRL via the internet (I am
assuming its not internet visible) and so not be able to access the CRL to
see if the client cert has been revoked. in this scenario, it assumes all
certs are invalid and rejects everything. We spent some time just figuring
this little trick out. Also, make sure you set up a certificate trust list
so that the server "trusts" your self signed CA certs and therefore also
accepts client certs from your CA.

Finally, if running Win2k, make sure any hotfixes have *all* dependent fixes
installed, or that the Win2k box is up to Sp3 or above. In one instance, our
server team had installed a series of patches, except one, and this omission
also caused the server to reject all client certs. Yet more weeks of tim
debugging this.

I guess what I am trying to say is that in each case, the same error (client
certificate revoked) was shown even though the problem resolution was
different. It can be a lot trickier than you realise, but certainly possible
to get going.

--
- Paul Glavich
Microsoft MVP - ASP.NET


"A.M" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for help.
>
> Those 60 clients are our employee, so we define who they trust! The are
> mobile users and they use internet to connect to office.
>
> Do we need to open that certificate server to public internet?
>
> Allan
>
>
>
>
> "(E-Mail Removed)" <(E-Mail Removed)> wrote
> in message news:(E-Mail Removed)...
> > One option is to setup your on Certificate Server and issue your own

> certificates. This is an install option in Windows 2000 Server and
> later.(Perhaps in earlier OSs but this is what I'm running.) This is

viable
> if the 60 clients have reason to "trust" your organization as a root
> certificate authority. You can also issue your own server certificate as
> well. This works well if trust is established with your clients. This
> whole scheme depends upon the degree of trust in the certificate

authority,
> if you don't trust the CA, don't install their certificates!
> >
> > Eagle

>
>



 
Reply With Quote
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      05-03-2004
Hi Allan,

I'm viewing this thread and found that many other community members are
discussing with you in another thread named
"RE: Client Side Certificate" in this newsgroup.
If you feel it convenient that we continue to focus on that one, please
feel free to post there. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server certificate validation on client side Stone Java 0 09-09-2011 08:27 AM
How to execute client-side code _after_ client-side validation? Bogdan ASP .Net 2 06-09-2008 01:31 PM
How to add the Certificate to the client side after we publish the application using clickonce? Ryou kaihou ASP .Net 0 06-19-2007 11:48 AM
Client side script after client side validation with asp.net 2.0 Boss302 ASP .Net 0 11-21-2006 08:43 AM
Adding custom client-side onClick handler with client-side validator controls Zoe Hart ASP .Net Web Controls 1 01-08-2004 10:45 PM



Advertisments