Configuring client certificates for mutual authentication on IIS 8
After spending more than 3 hours to configure mutual authentication on one of my projects, I decided to write this article to help ease the configuration on IIS for those who want a mutual authentication functionality between there web server and client’s applications.
I write this blog using self signed certificate for a demonstration purposes same steps can be used for valid certificates.
Assuming you install IIS server on your machine.(Note when installing IIS include Client Certificate Mapping Authentication).Here are the steps.
1 . Make your website to require client certificate
By clicking on SSL Settings
On the SSL Settings make sure you tick the Require SSL checkbox and on the Client certificates section choose the require option to make any client connection require a certificate to the website.
2. Generating self signed root and client certificates.
For this blog we use our own Root CA and Client certificate.I use makecert.exe (can be found in Windows SDK) for creating certificates.
2.1 Generate Root certificate for signing your client certificates
makecert -n "CN=ClientRootCA" -r -sv ClientRootCA.pvk ClientRootCA.cer
This will create your Root Certificate and Private key
- In the Create Private Key Password dialog box, enter a password, confirm the password, and then click OK.Optionally, you can click None without entering the password, but this is not recommended for security reasons.
- In the Enter Private Key Password dialog box, enter the password again and then click OK.This is the password needed to access the private key file ClientRootCA.pvk in order to generate the file ClientRootCA.cer containing the public key.
2.2 Installing certificate on server machine
In this step we will install the certificate in Trusted Root Certification Authorities location.
To do this you need to run MMC on your machine . Then clicking on File -> Add/Remove Snap in
Then you can import the certifcate you create on 2.1(ClientRootCA) to Trusted Root Certification.
Go to the left panel and Certificates(Local Computer) -> Trustued Root Certification Authorities -> Certificates
And right click on Certificates and All Tasks -> Import
Then on the next dialog choose your ClientRootCA.cer which you created earlier.
Then Click Next and then Finish.Now you will see your certificate on Trusted certificate list
Now your Root CA is trusted by you server.Any certificate signed by the Root CA will be trusted from now on.
3.Create sample client certificate for authentication with your server
makecert -sk MyKeyName -iv RootCaClientTest.pvk -n "CN=tempClientcert" -ic RootCaClientTest.cer -sr currentuser -ss my -sky signature -pe
- In the Enter Private Key Password dialog box, enter the password for the root CA private key file you specified in the previous step.
This command will create a certificate to User account certificate (Which can be exported later from MMC).
4. Export the client certificate for use
Again go to MMC same as before
- Go to File -> Add/Remove Snap in
- Like before choose certificates->add but on this case choose My User Accounts
This will create another tree on the left side “Certifcates — Current User”
Open that and Personal->Certificates
You will see “tempClientcert” on the certifcate list(That is your test client certificate which will be used to authenticate).
- Right click on the certificate All Tasks->Export will open a dialog to export the certificate .Click next on the dialog
Now we will export two certificates one with private key and public key together (which will be used to authenticate as client)and one only the public key (will be used for mapping on IIS).
Export with private key
After clicking next on the export dialog
Choose those options and next
Provide password and click Next
Then give it a name on the next dialog and save the file as “clientCertificate.pfx” (choose .pfx file type) and finish.
Export only public key
Again by opening on export dialog. In this case we select the second option
Choose Base-64 encoded x.509 (.CER)
Then on click next and give it a name (like client_public)on the next dialog and finish.
This will create your public key of your client certificates
Now open this file using notepad
Copy the only string inside
— — — — BEGIN CERTIFICATE — — —
— — — — END CERTIFICATE — — — —
And make it to one line and remove the space between the lines (use notpad++ will do the job easily)
(*Note this string will be used on Mapping on IIS)
5. Configuring IIS Mapping
Then open IIS to configure your site to map website to client certificate
Click on your website and double click on Authentication
Disable Anonymous Authentication
Apply Changes and on Management section double click on Configuration Editor.
- On Section put system.webServer/security/authentication/iisClientCertificateMappingAuthentication
- Change enable to True
- Change oneToOneMappingsEnabled to True
- Click on oneToOneMappings
On Collection Editor dialog you will see the above.
- First click on Add on the top right corner
- Then on certificate copy the public certificate that we from above step (We said we will use this on IIS mapping above)
- Change enabled to True
- Give a valid windows username and password which you can login to the server machine.
- Then close the dialog
Click on Apply. Now the mapping to your site is done.
6. Client Side
Now client authentication is enabled for your site when you browse your site it will require you to provide client certificate.
The client certificate it the one we import as “clientCertificate.pfx”.
From client machine you can import the certificate by double click on the pfx file and import it to your certificates.which later will be available to the browser as imported certificate to choose (in the above image it is imported and can be seen on the select certificate option).
With out certificate/Invalid one the server will throw error message to the client
With valid certificate you can access the web securely.
I hope this will help you folks.
I will write how to use client certificates from .Net application.