hi, if a client certificate which is used for mapping in iis6 is renewed. do then i have to renew the mapping (one to one mapping!) also?!?! at least it looks so! why this? the public key is same as in the expired cert! i would assume/think that iis 6 is using the public key for mapping! can someone confirm or clarify, please! thanks in advance, k.
A:
Unfortunately, the authentication isn't checked against the keys, but rather against the certificate presented. Because the mapped certificate they have is no longer valid (or doesn't match the certificate used to sign the request), the authentication will fail to match.
Think of a certificate like a driver's license and the mapped certificate like a list of drivers licenses authorized for a particular resource. If you renew your driver's license, you will also need to get your updated license on the list.
I believe Microsoft understands this challenge and has ways to updated client certificate mappings automatically, but I don't know the details.
Jason R. Coombs
2009-12-02 12:04:43
thanks! oh thats really weak from microsoft.. surely, the mappings could be programmatically updated via a script or program. but.. if the keys are still identical then the mapping could work without to be renewed (technically). i think so, at least. a many:1 mapping could maybe help me.. or is here someone who know a alternative/better way to accomplish renewal with 1:1 mapped clientcerts??
krile
2009-12-02 12:21:29