Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > SSL Cert authentication: Need to install client cert? Or can I just upload the cert?

Reply
Thread Tools

SSL Cert authentication: Need to install client cert? Or can I just upload the cert?

 
 
David Chan via .NET 247
Guest
Posts: n/a
 
      06-02-2005
Is it necessary to install the client certificate to the "certrepository" and have the private key "buried" deep inside theLocalMachine store?

Or, is it common for commercial sites and governmental e-serviceetc to require users to present their certificate by browsingtheir cert only at the time they "log on" the site? Actuallythis is what I'm trying to achieve.

I've read many articles like MSDN etc and succeeded in having theuser to access the site via HTTPS. The site's virtual path isset to require user to present their cert. The site has set a"server certificate" which is issued by a windows 2003 serverwith Certificate Service installed. The server's config isperfectly ok, however awkward stuffs, at least to me, have to bedone on the client part.

For the client certs, they are issued viahttp://Foo_CAServer/certsrv. However, they can access the website only if they specify the client certs as "to be installedin the local machine store". The client cert has to be exportedas a pfx file, which if I've not been mistaken contains both thepublic and private key. This is necessary because if the cert isexported or downloaded in the format, for example, as a base64X.509 .CER file, the user will not be able to use this cert toaccess the page, having Schannel complaining that the clientcert doesn't have a private key.

And the client cert has to be installed in the local machinestore first, and then export the cert _again_ and reinstall itto CU. The reason of doing this is that the page cannot locatethe client cert in the LM store (or is there a way to do so?).This is what I regard as something wierd.

However, is it possible that I can allow the user to get hisnewly issued cert (with private key) saved in a physicallocation like in the harddisk, and when accessing the site heonly need to upload the cert file to the site instead of havingthe cert installed permanently in the cert repository?

Also, if the "upload" thing is possible, in what format shouldthe cert be? I don't think it should be a .CER file because itdoes not contain the private key, which I tried before. Thenshould it be a .pfx file? Is it standard practice that web sitesusually require users to present a cert file which contains bothpublic and private keys, i.e. a .pfx file? Or I might have awrong understanding on how client certs should be issued, if soplease correct me.

Also how should the cert upload be implemented? I'm usingASP.NET, and derived from the message above I guess the codeshould be like this:

// We are in the upload cert page, let's say
// the cert file is already uploaded to path strFile
HttpWebRequest hr = Request;
hr.ClientCertificates.Add(
X509Certificate.CreateFromCertFile(strFile));
string sURLThatNeedsCert = "...";
response.Redirect(sURLThatNeedsCert);

I'm pretty uncertain if I am on the right track, or if the codeis totally nuts...
Sorry for the long post but hope that someone will help out.Thanks in advance!

--------------------------------
From: David Chan

-----------------------
Posted by a user from .NET 247 (http://www.dotnet247.com/)

<Id>r7jkc/VKJk6mGrWOB6wcBw==</Id>
 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      06-02-2005
Hello David Chan via .NET 247,

the cert has to be available via cryptoAPI - and the IE will present you
with a dialog from where you can choose the right one.

This could be the cert store on the harddrive or a smartcard/token.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Is it necessary to install the client certificate to the "cert
> repository" and have the private key "buried" deep inside the
> LocalMachine store?
> Or, is it common for commercial sites and governmental e-service
> etc to require users to present their certificate by browsing
> their cert only at the time they "log on" the site? Actually
> this is what I'm trying to achieve.
> I've read many articles like MSDN etc and succeeded in having the
> user to access the site via HTTPS. The site's virtual path is
> set to require user to present their cert. The site has set a
> "server certificate" which is issued by a windows 2003 server
> with Certificate Service installed. The server's config is
> perfectly ok, however awkward stuffs, at least to me, have to be
> done on the client part.
> For the client certs, they are issued via
> http://Foo CAServer/certsrv. However, they can access the web
> site only if they specify the client certs as "to be installed
> in the local machine store". The client cert has to be exported
> as a pfx file, which if I've not been mistaken contains both the
> public and private key. This is necessary because if the cert is
> exported or downloaded in the format, for example, as a base64
> X.509 .CER file, the user will not be able to use this cert to
> access the page, having Schannel complaining that the client
> cert doesn't have a private key.
> And the client cert has to be installed in the local machine
> store first, and then export the cert again and reinstall it
> to CU. The reason of doing this is that the page cannot locate
> the client cert in the LM store (or is there a way to do so?).
> This is what I regard as something wierd.
> However, is it possible that I can allow the user to get his
> newly issued cert (with private key) saved in a physical
> location like in the harddisk, and when accessing the site he
> only need to upload the cert file to the site instead of having
> the cert installed permanently in the cert repository?
> Also, if the "upload" thing is possible, in what format should
> the cert be? I don't think it should be a .CER file because it
> does not contain the private key, which I tried before. Then
> should it be a .pfx file? Is it standard practice that web sites
> usually require users to present a cert file which contains both
> public and private keys, i.e. a .pfx file? Or I might have a
> wrong understanding on how client certs should be issued, if so
> please correct me.
> Also how should the cert upload be implemented? I'm using
> ASP.NET, and derived from the message above I guess the code
> should be like this:
> // We are in the upload cert page, let's say
> // the cert file is already uploaded to path strFile
> HttpWebRequest hr = Request;
> hr.ClientCertificates.Add(
> X509Certificate.CreateFromCertFile(strFile));
> string sURLThatNeedsCert = "...";
> response.Redirect(sURLThatNeedsCert);
> I'm pretty uncertain if I am on the right track, or if the code
> is totally nuts...
> Sorry for the long post but hope that someone will help out.
> Thanks in advance!
> --------------------------------
> From: David Chan
> -----------------------
> Posted by a user from .NET 247 (http://www.dotnet247.com/)
> <Id>r7jkc/VKJk6mGrWOB6wcBw==</Id>
>




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSD 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCAD 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM



Advertisments