tags:

views:

1161

answers:

4
+2  Q: 

Accepting client certificates from any CA

I am setting up support for users to sign in with client certificates. Unfortunately IIS refuses to acknowledge any certificate not chained to an installed CA (see this article).

As the feature is implemented only for users´ convenience, it would be great to allow any client certificate. Is there any way to accomplish this?

My server is running Windows Server 2003 and IIS 6, but the behaviour is no different on my IIS 7 running locally. If IIS 7 could be customized to support any client certificate, I would be able to change though (given no solution for IIS 6 is available).

+1  A: 

I think the normal way is for you to issue the certificates to them, and then for you to set up IIS to accept your cert as a root.

Lou Franco  2008-10-04 21:35:35
This is what many sites are doing, but I don't think it should be necessary (it might be possible it is).
troethom  2008-10-04 21:45:01
A: 

I think you can add a new root CA cert via the certmgr command

certmgr --add -c -m Trust <CA_cert_DER_fmt>

Note: Unlike UNIXes, Windows manages certs for all applications simultaneously, which can have security implications, so beware of that

Purfideas  2008-10-04 21:43:43
With regard to my response to your comment and the possible security implications, I don't think this is a valid answer.
troethom  2008-10-04 22:35:49
Actually our comments above have nothing to do with the security implications I'm referring to in the Note. There I'm simply warning that if you trust a new root CA for IIS, then by default your local IE will also trust that CA for outbound traffic to say https://yourbank.com, not always good.
Purfideas  2008-10-05 01:07:29
While I do want to accept any certificate (by customizing the handshake), I have no intention of letting the server decide which to trust. This is a matter of my own and I will evaluate the certificates in my software.
troethom  2008-11-02 20:51:07
A: 

WCF allows you to write a custom X.509 certificate handler. In the code you can do some check like comparing the thumbprint against know value in the database.

eed3si9n  2008-10-04 21:50:07
+1  A: 

Implement this class:

    public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy
    {
        public TrustAllCertificatePolicy() {}

        public bool CheckValidationResult(ServicePoint sp, X509Certificate cert,WebRequest req, int problem)
     {
      return true;
     }
    }

Set it using the following line of code. Afterward any certificates, whether expired, name mismatch, etc. will be accepted.

 System.Net.ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();
Chris Ballance  2008-10-29 19:57:22
The main issue is that IIS send a list of known CAs in the SSL handshake. This code doesn't change that. I need some way to override the IIS behaviour or configure it to send a wild card.
troethom  2008-11-02 20:44:01

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?