|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to validate client certificate?client certificate. I found this article http://support.microsoft.com/kb/315588/ but it stops short in describing how to actually validate the cert. HttpClientCertificate cert = Request.ClientCertificate; if (cert.IsPresent) certDataLabel.Text = cert.Get("SUBJECT O"); else certDataLabel.Text="No certificate was found."; I can get this part working. However, when I revoke the certificate it is still present and would allow the user in. I'm looking for how to say something like: if (cert.IsNotRevoked) Do Something(); How do you check that the client certificate is not revoked? Interact with the CA and the CRL programmatically? Thanks in advance! Which .NET Version?
What's the value of the IsValid property? --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > I'm looking for information on how to programmatically validate a > client certificate. > > I found this article http://support.microsoft.com/kb/315588/ but it > stops short in describing how to actually validate the cert. > > HttpClientCertificate cert = Request.ClientCertificate; > if (cert.IsPresent) > certDataLabel.Text = cert.Get("SUBJECT O"); > else > certDataLabel.Text="No certificate was found."; > I can get this part working. However, when I revoke the certificate > it is still present and would allow the user in. I'm looking for how > to say something like: > > if (cert.IsNotRevoked) > Do Something(); > How do you check that the client certificate is not revoked? Interact > with the CA and the CRL programmatically? > > Thanks in advance! > Thanks for your reply. Well I'm using 1.1 and 2.0 in different
projects so I actually need both. The IsValid property is true but it remains true even if I revoke the cert (we are our own ca). I was surprised at this (although perhaps it is cached somewhere). My app presents sensitive data so if I revoke a cert I need it to deny the user at that very moment. Is IsValid the only thing people are doing or is there a more thorough approach to validating the certs? Thanks again. Dominick Baier wrote: Show quoteHide quote > Which .NET Version? > > What's the value of the IsValid property? > > > > --- > Dominick Baier, DevelopMentor > http://www.leastprivilege.com > > > I'm looking for information on how to programmatically validate a > > client certificate. > > > > I found this article http://support.microsoft.com/kb/315588/ but it > > stops short in describing how to actually validate the cert. > > > > HttpClientCertificate cert = Request.ClientCertificate; > > if (cert.IsPresent) > > certDataLabel.Text = cert.Get("SUBJECT O"); > > else > > certDataLabel.Text="No certificate was found."; > > I can get this part working. However, when I revoke the certificate > > it is still present and would allow the user in. I'm looking for how > > to say something like: > > > > if (cert.IsNotRevoked) > > Do Something(); > > How do you check that the client certificate is not revoked? Interact > > with the CA and the CRL programmatically? > > > > Thanks in advance! > > The ideal thing would be to get IIS to check the revocation of the
certificate for you. If that was to happen, the user would never authenticate in the first place and your code would never run. I'm not sure exactly how you configure SSL in IIS to do this though. There is probably either a metabase or registry setting somewhere. I am pretty sure that schannel in Windows 2003 can check CRLs though. If you want to do this in code, the X509Chain class in .NET 2.0 can be used to try to verify this sort of thing. You don't have good options in .NET 1.1 (p/invoke to the crypto API). Best of luck! Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "JT" <jtaylor1***@gmail.com> wrote in message news:1156551193.771065.276480@m79g2000cwm.googlegroups.com... > Thanks for your reply. Well I'm using 1.1 and 2.0 in different > projects so I actually need both. The IsValid property is true but it > remains true even if I revoke the cert (we are our own ca). I was > surprised at this (although perhaps it is cached somewhere). My app > presents sensitive data so if I revoke a cert I need it to deny the > user at that very moment. > > Is IsValid the only thing people are doing or is there a more thorough > approach to validating the certs? > > Thanks again. > > > > Dominick Baier wrote: >> Which .NET Version? >> >> What's the value of the IsValid property? >> >> >> >> --- >> Dominick Baier, DevelopMentor >> http://www.leastprivilege.com >> >> > I'm looking for information on how to programmatically validate a >> > client certificate. >> > >> > I found this article http://support.microsoft.com/kb/315588/ but it >> > stops short in describing how to actually validate the cert. >> > >> > HttpClientCertificate cert = Request.ClientCertificate; >> > if (cert.IsPresent) >> > certDataLabel.Text = cert.Get("SUBJECT O"); >> > else >> > certDataLabel.Text="No certificate was found."; >> > I can get this part working. However, when I revoke the certificate >> > it is still present and would allow the user in. I'm looking for how >> > to say something like: >> > >> > if (cert.IsNotRevoked) >> > Do Something(); >> > How do you check that the client certificate is not revoked? Interact >> > with the CA and the CRL programmatically? >> > >> > Thanks in advance! >> > > Yeah,
there is a reg setting for IIS to check CRLs... Can't find it at the moment - google should be your friend. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > The ideal thing would be to get IIS to check the revocation of the > certificate for you. If that was to happen, the user would never > authenticate in the first place and your code would never run. I'm > not sure exactly how you configure SSL in IIS to do this though. > There is probably either a metabase or registry setting somewhere. I > am pretty sure that schannel in Windows 2003 can check CRLs though. > > If you want to do this in code, the X509Chain class in .NET 2.0 can be > used to try to verify this sort of thing. You don't have good options > in .NET 1.1 (p/invoke to the crypto API). > > Best of luck! > > Joe K. > Thanks. I think I may have found it but I still need to confirm. I
got it to work manually using certutil -crl which publishes the crl. I can issue a cert, get into the app, revoke the cert, call certutil, then I can't get in. It looks like there are a couple of other things in order to automate it effectively... First, how often the server publishes the crl, and second, how often the client checks the crl. There appear to be pros and cons to consider in terms of performance when setting these intervals. Revoking certificates and publishing CRLs http://technet2.microsoft.com/WindowsServer/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.mspx?mfr=true Schedule the publication of the certificate revocation list http://technet2.microsoft.com/WindowsServer/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.mspx?mfr=true CertCheckMode Metabase Property (IIS 6.0) http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0c08d268-1634-4486-8382-b735e295b3aa.mspx?mfr=true RevocationFreshnessTime Metabase Property (IIS 6.0) http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a7540ad3-0a18-41b8-81e0-43523a92347d.mspx?mfr=true 
Other interesting topics
Bad Data. Any idea what this means?
Aplying more than 1 attributes ????? Preferred method of hashing salted password How to convert string to SecureString? SignedXml gives false negatives when using namespaces in signed xm Encrypting connection string in app.config Get role for any given user name ... Laptop Problems when my C# service impersonates a secondary account does the secondary account need any special perm Domain isolation question. |
|||||||||||||||||||||||
