Client SSL authentication causing 403.7 error from IIS

Question

I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.

Installing the certificate and trying to access the restricted area in various browsers gives the following results:

• IE6 - Works fine and I can retrieve the WSDL

• IE7 - Prompts for the certificate but then fails with a 403.7 from the server

• Firefox3 - Set to ask, but no prompt and fails with a 403.7

• Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7

Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.

Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?

Any help would be greatly appreciated.

Answer 1

Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:

openssl pkcs12 -export -chain -CAfile chain.pem -in cert.pem -inkey key.pem -out cert.p12