Require only specific client certificates in IIS

Question

I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.

I've set the SSL Settings to Require SSL and require client certificates. Looks good so far. Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:

When the server prompts for a certificate, the request includes a list of the certification authorities that the server trusts. The client then compares this list to the list of certification authorities that the client trusts and creates a list of the ones that match. Then, the client compares that list to the client certificates it has and determines which, if any, certificates have been issued by certification authorities that both the client and the server trust.

Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.

What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?

Answer 1

This post assumes that you have successfully set up a web site that requires a client certificate that the server trusts.

See this post for creating and allowing client certificates in IIS and IIS Express if you do not have that already: https://stackoverflow.com/a/57311258/3850405

For this to work some say that IIS Client Certificate Mapping Authentication needs to be enabled but I have tried this on a Windows Server 2012 R2 Datacenter and it worked anyway. However I think it is good to add and it is the recommended approach so add it via Add Roles and Features or Turn Windows features on or off dependent on your OS.

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/onetoonemappings/

Start by navigating to your site in IIS Manager and click on Configuration Editor.

From there navigate to Section system.webServer/security/authentication/iisClientCertificateMappingAuthentication or simply paste the string in the Section field.

Set enabled to True and then add a oneToOneMappings.

To get value for certificate property start mmc.exe and export your client certificate. Mine is located at Personal certificates for Local Computer.

File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer

Certificates (Local Computer) -> Personal -> Certificates -> Right click on your client certificate -> All tasks -> Export...

When the Certificate Export Wizard opens:

• Click Next.
• Choose No, do not export the private key, then click Next.
• Choose Base-64 encoded X.509 9 (.CER) for the export format, then click Next.
• Choose to save the certificate to your desktop as
  MyCertificate.cer, then click Next.
• Click Finish; you should see a dialog box that says the export was successful.

Open the MyCertificate.cer file that you exported using Windows Notepad:

• Remove "-----BEGIN CERTIFICATE-----" from the start of the text.
• Remove "-----END CERTIFICATE-----" from the end of the text.
• Concatenate all the lines into a single line of text. This is the data you need.

I usually use Notepad++ and remove all \r\n since I think this is faster.

How do I remove linebreaks in Notepad++?

https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/onetoonemappings/

Then last step is to add a local userName and password for a user on that computer/server. In the end it should look something like this.

Save the values and then your web site will require a specific client certificate.

Answer 2

I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.

https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/