How To: Set Up Client Certificates
J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation
November 2002
Microsoft® ASP.NET
Microsoft Visual Studio® .NET
See the Landing Page for a starting point and complete overview of Building Secure ASP.NET Applications.
Summary: IIS supports client certificate authentication. This How To shows you how to configure a Web application to require client certificates. It also shows you how to install a certificate on a client computer and use it when calling the Web application. (5 printed pages)
Contents
Web services often need to be able to authenticate their callers (other applications) in order to perform authorization. Client certificates provide an excellent authentication mechanism for Web services. When you use client certificates, your application also benefits from the creation of a secure channel (using Secure Sockets Layer [SSL]) between the client application and Web service. This allows you to securely send confidential information to and from the Web service. SSL ensures message integrity and confidentiality.
This How To includes step-by-step instructions to call a Web service that is configured to require client certificates.
Note The information in this How To also applies to remote components hosted by IIS.
Requirements
The following items describe the recommended hardware, software, network infrastructure, skills and knowledge, and service packs you will need.
· Microsoft® Windows® 2000 Server operating system with Service Pack 2
· Microsoft Visual Studio® .NET development system
· Access to a Certificate Authority (CA) to generate new certificates
· A Web server with an installed server certificate
For more information about installing Web server certificates, see How To: Set Up SSL on a Web Server in the Reference section of this guide.
The procedures in this How To also require that you have knowledge of ASP.NET Web development with the Microsoft Visual C#™ development tool.
Summary
This How To includes the following procedures:
1. Create a Simple Web Application
2. Configure the Web Application to Require Client Certificates
3. Request and Install a Client Certificate
4. Verify Client Certificate Operation
1. Create a Simple Web Application
To create a simple Web application
1. Start Visual Studio .NET and create a new C# ASP.NET Web application called SecureApp.
2. Drag a label control from the toolbox onto the WebForm1.aspx Web form, and then set its ID property to message.
3. Drag a second label onto WebForm1.aspx and set its ID property to certData.
4. Add the following code to the Page_Load event procedure.
5. string username;
6. username = User.Identity.Name;
7. message.Text = "Welcome " + username;
8. HttpClientCertificate cert = Request.ClientCertificate;
9. if (cert.IsPresent)
10. {
11. certData.Text = "Client certificate retrieved";
12. }
13. else
14. {
15. certData.Text = "No client certificate";
16. }
17. On the Build menu, click Build Solution.
18. Start Internet Explorer and navigate to http://localhost/SecureApp/WebForm1.aspx.
The page should be displayed with the messages "Welcome" (no user name is displayed because the user has not been authenticated) and "No client certificate."
19. Close Internet Explorer.
2. Configure the Web Application to Require Client Certificates
This procedure uses Internet Information Services (IIS) to configure your Web application's virtual directory to require certificates.
This procedure assumes that you have a valid certificate installed on your Web server. For more information about installing Web server certificates, see How To: Set Up SSL on a Web Server.
To configure your Web application's virtual directory to require certificates
1. On the Web service host computer, start IIS.
2. Navigate to the SecureApp virtual directory.
3. Right-click SecureApp, and then click Properties.
4. Click the Directory Security tab.
5. Under Secure communications, click Edit.
If Edit is unavailable, it is likely that a Web server certificate is not installed.
6. Select the Require secure channel (SSL) check box.
7. Select the Require client certificates option.
8. Click OK, and then click OK again.
9. In the Inheritance Overrides dialog box, click Select All, and then click OK to close the SecureApp properties dialog box.
This applies the new security settings to all subdirectories in the virtual directory root.
10. To confirm that the Web site is configured correctly, start Internet Explorer and browse (using HTTPS) to https://localhost/secureapp/webform1.aspx.
11. A Client Authentication dialog box is displayed by Internet Explorer asking you to select a client certificate. Because you have not yet installed a client certificate, click OK, and confirm that an error page is displayed informing you that the page requires a client certificate.
12. Close Internet Explorer.
3. Request and Install a Client Certificate
This procedure installs a client-side certificate. You can use a certificate from any certificate authority, or you can generate your own certificate using Microsoft Certificate Services as described in the following sections.
This procedure assumes that Microsoft Certificate Services is configured for pending requests, which require an administrator to explicitly issue the certificate. It can also be configured to automatically issue certificates in response to certificate requests.
To check the certificate request status setting
1. On the Microsoft Certificate Services computer, select Certification Authority from the Administrative Tools programs group.
2. Expand Certification Authority (Local), right-click the certification authority and click Properties.
3. Click the Policy Module tab, and then click Configure.
4. Check the default action.
The following procedure assumes that Set the certificate request status to pending. Administrator must explicitly issue the certificate is selected.
To request a client-side certificate
1. Start Internet Explorer and navigate to http:// hostname/certsrv, where hostname is the name of the computer on which Microsoft Certificate Services is installed.
2. Click Request a certificate, and then click Next.
3. On the Choose Request Type page, click User Certificate, and then click Next.
4. Click Submit to complete the request.
5. Close Internet Explorer.
To issue the client-side certificate
1. From the Administrative Tools program group, start the Certification Authority tool.
2. Expand your certificate authority, and then select the Pending Requests folder.
3. Select the certificate request you just submitted, point to All Tasks on the Action menu, and then click Issue.
4. Confirm that the certificate is displayed in the Issued Certificates folder, and then double-click it to view it.
5. On the Details tab, click Copy to File to save the certificate as a Base-64 encoded X.509 certificate.
6. Close the properties window for the certificate.
7. Close the Certification Authority tool.
To install the client-side certificate
1. To view the certificate, start Windows Explorer, navigate to the .cer file saved in the previous procedure, and then double-click it.
2. Click Install Certificate, and then click Next on the first page of the Certificate Import Wizard.
3. Select Automatically select the certificate store based on the type of certificate, and then click Next.
4. Click Finish to complete the wizard. Dismiss the confirmation message box, and then click OK to close the certificate.
4. Verify Client Certificate Operation
This procedure verifies that you can access the SecureApp application using a client certificate.
To verify client certificate operation
1. Start Internet Explorer and navigate to https://localhost/secureapp/webform1.aspx.
2. Confirm that the Web page displays successfully.