"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> I made a certificate with SelfSSL and it is added to the site.
> I see the option 'require client certificates', what does that mean? How
> can
> it be initiated?
>
> Fré
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
> If you enable that option the users will have to authenticate with user's
> certificate. This also means that you will have to deploy client
> certificate to any users that will need to access your web server.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> I made a certificate with SelfSSL and it is added to the site.
>> I see the option 'require client certificates', what does that mean? How
>> can
>> it be initiated?
>>
>> Fré
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
> And how do I have to make a client certificate?
>
> Fré
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>> If you enable that option the users will have to authenticate with user's
>> certificate. This also means that you will have to deploy client
>> certificate to any users that will need to access your web server.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>> Hi,
>>>
>>> I made a certificate with SelfSSL and it is added to the site.
>>> I see the option 'require client certificates', what does that mean? How
>>> can
>>> it be initiated?
>>>
>>> Fré
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
> It depends. Would these users be part of your domain? If yes then the best
> answer is by using Microsoft Enterprise CA server.
>
> Here are some articles on how to set up Microsoft CA and how to deploy
> certificates to users.
>
> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
> Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
> Implementing and Administering Certificate Templates in Windows Server
> 2003
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>
> PKI Enhancements in Windows XP Professional and Windows Server 2003
> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>
> Windows Server 2003 PKI Operations Guide
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>
> Managing a Windows Server 2003 Public Key Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>
> Advanced Certificate Enrollment and Management
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>> And how do I have to make a client certificate?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>> If you enable that option the users will have to authenticate with
>>> user's certificate. This also means that you will have to deploy client
>>> certificate to any users that will need to access your web server.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>> Hi,
>>>>
>>>> I made a certificate with SelfSSL and it is added to the site.
>>>> I see the option 'require client certificates', what does that mean?
>>>> How can
>>>> it be initiated?
>>>>
>>>> Fré
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
> The users will not be part of the domain.
>
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>> It depends. Would these users be part of your domain? If yes then the
>> best answer is by using Microsoft Enterprise CA server.
>>
>> Here are some articles on how to set up Microsoft CA and how to deploy
>> certificates to users.
>>
>> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
>> Infrastructure
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>
>> Implementing and Administering Certificate Templates in Windows Server
>> 2003
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>
>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>
>> Windows Server 2003 PKI Operations Guide
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>
>> Managing a Windows Server 2003 Public Key Infrastructure
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>
>> Advanced Certificate Enrollment and Management
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>> And how do I have to make a client certificate?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>> If you enable that option the users will have to authenticate with
>>>> user's certificate. This also means that you will have to deploy client
>>>> certificate to any users that will need to access your web server.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>> I see the option 'require client certificates', what does that mean?
>>>>> How can
>>>>> it be initiated?
>>>>>
>>>>> Fré
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
> Then you have a lot of work to do. If you want to set up your own CA
> server (related articles are listed in my previous article) you have to
> think how users (or you) will safely generate requests and then how you
> will transfer certificates with private key to users (again in safe way).
> In the end you will also have to think how to make these users trust you
> CA server.
>
> This is something that you can avoid if you use commercial CA server like
> Verisign or Thawte since users already trust these CA servers.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>> The users will not be part of the domain.
>>
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>> It depends. Would these users be part of your domain? If yes then the
>>> best answer is by using Microsoft Enterprise CA server.
>>>
>>> Here are some articles on how to set up Microsoft CA and how to deploy
>>> certificates to users.
>>>
>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>> Key Infrastructure
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>
>>> Implementing and Administering Certificate Templates in Windows Server
>>> 2003
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>
>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>
>>> Windows Server 2003 PKI Operations Guide
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>
>>> Managing a Windows Server 2003 Public Key Infrastructure
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>
>>> Advanced Certificate Enrollment and Management
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>> And how do I have to make a client certificate?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>> If you enable that option the users will have to authenticate with
>>>>> user's certificate. This also means that you will have to deploy
>>>>> client certificate to any users that will need to access your web
>>>>> server.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>> Hi,
>>>>>>
>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>> I see the option 'require client certificates', what does that mean?
>>>>>> How can
>>>>>> it be initiated?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
> So it is impossible :-)
>
> Fré
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>> Then you have a lot of work to do. If you want to set up your own CA
>> server (related articles are listed in my previous article) you have to
>> think how users (or you) will safely generate requests and then how you
>> will transfer certificates with private key to users (again in safe way).
>> In the end you will also have to think how to make these users trust you
>> CA server.
>>
>> This is something that you can avoid if you use commercial CA server like
>> Verisign or Thawte since users already trust these CA servers.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>> The users will not be part of the domain.
>>>
>>>
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>> It depends. Would these users be part of your domain? If yes then the
>>>> best answer is by using Microsoft Enterprise CA server.
>>>>
>>>> Here are some articles on how to set up Microsoft CA and how to deploy
>>>> certificates to users.
>>>>
>>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>>> Key Infrastructure
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>
>>>> Implementing and Administering Certificate Templates in Windows Server
>>>> 2003
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>
>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>
>>>> Windows Server 2003 PKI Operations Guide
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>
>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>
>>>> Advanced Certificate Enrollment and Management
>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>> And how do I have to make a client certificate?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>> If you enable that option the users will have to authenticate with
>>>>>> user's certificate. This also means that you will have to deploy
>>>>>> client certificate to any users that will need to access your web
>>>>>> server.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>> I see the option 'require client certificates', what does that mean?
>>>>>>> How can
>>>>>>> it be initiated?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
> Or how long would you think this would take to set up?
>
> Fré
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>> So it is impossible :-)
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>> Then you have a lot of work to do. If you want to set up your own CA
>>> server (related articles are listed in my previous article) you have to
>>> think how users (or you) will safely generate requests and then how you
>>> will transfer certificates with private key to users (again in safe
>>> way). In the end you will also have to think how to make these users
>>> trust you CA server.
>>>
>>> This is something that you can avoid if you use commercial CA server
>>> like Verisign or Thawte since users already trust these CA servers.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>> The users will not be part of the domain.
>>>>
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>> It depends. Would these users be part of your domain? If yes then the
>>>>> best answer is by using Microsoft Enterprise CA server.
>>>>>
>>>>> Here are some articles on how to set up Microsoft CA and how to deploy
>>>>> certificates to users.
>>>>>
>>>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>>>> Key Infrastructure
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>
>>>>> Implementing and Administering Certificate Templates in Windows Server
>>>>> 2003
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>
>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>
>>>>> Windows Server 2003 PKI Operations Guide
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>
>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>
>>>>> Advanced Certificate Enrollment and Management
>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>> And how do I have to make a client certificate?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>> If you enable that option the users will have to authenticate with
>>>>>>> user's certificate. This also means that you will have to deploy
>>>>>>> client certificate to any users that will need to access your web
>>>>>>> server.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>> mean? How can
>>>>>>>> it be initiated?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>I read that a client certificate can be made by exporting the certificate
>on the server. If I give that certificate to the clients, by just e-mailing
>them, and they install the certificate, will they trust my CA server then?
> Or am I forgetting something?
>
> Fré
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>> Or how long would you think this would take to set up?
>>
>> Fré
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>> So it is impossible :-)
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>> Then you have a lot of work to do. If you want to set up your own CA
>>>> server (related articles are listed in my previous article) you have to
>>>> think how users (or you) will safely generate requests and then how you
>>>> will transfer certificates with private key to users (again in safe
>>>> way). In the end you will also have to think how to make these users
>>>> trust you CA server.
>>>>
>>>> This is something that you can avoid if you use commercial CA server
>>>> like Verisign or Thawte since users already trust these CA servers.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>> The users will not be part of the domain.
>>>>>
>>>>>
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>> It depends. Would these users be part of your domain? If yes then the
>>>>>> best answer is by using Microsoft Enterprise CA server.
>>>>>>
>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>> deploy certificates to users.
>>>>>>
>>>>>> Best Practices for Implementing a Microsoft Windows Server2003 Public
>>>>>> Key Infrastructure
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>
>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>> Server 2003
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>
>>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>
>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>
>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>
>>>>>> Advanced Certificate Enrollment and Management
>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>> And how do I have to make a client certificate?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>> If you enable that option the users will have to authenticate with
>>>>>>>> user's certificate. This also means that you will have to deploy
>>>>>>>> client certificate to any users that will need to access your web
>>>>>>>> server.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>> mean? How can
>>>>>>>>> it be initiated?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
> How secure would be that -- if you send clients certificates (with private
> keys) in an e-mail. What if someone else gets that e-mail (it doesn't
> matter how) or hold of those private keys?
> Now in my opinion this would be less secure then telling users passwords
> over the phone.
>
> Regarding trusting your CA. Yes, you could do that. Now the question is
> will users be allowed to import CA chain onto their computers? E.g. in
> some of my environments users don't have that kind of permissions on their
> computers. What will happen if user formats their computer? How much work
> do you expect on supporting these users (it depends on number of users).
> You could talk to administrators of these external users for some help.
> They could deploy CA chain using group policy.
>
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>I read that a client certificate can be made by exporting the certificate
>>on the server. If I give that certificate to the clients, by just
>>e-mailing them, and they install the certificate, will they trust my CA
>>server then?
>> Or am I forgetting something?
>>
>> Fré
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>> Or how long would you think this would take to set up?
>>>
>>> Fré
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>> So it is impossible :-)
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>> Then you have a lot of work to do. If you want to set up your own CA
>>>>> server (related articles are listed in my previous article) you have
>>>>> to think how users (or you) will safely generate requests and then how
>>>>> you will transfer certificates with private key to users (again in
>>>>> safe way). In the end you will also have to think how to make these
>>>>> users trust you CA server.
>>>>>
>>>>> This is something that you can avoid if you use commercial CA server
>>>>> like Verisign or Thawte since users already trust these CA servers.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>> The users will not be part of the domain.
>>>>>>
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>> It depends. Would these users be part of your domain? If yes then
>>>>>>> the best answer is by using Microsoft Enterprise CA server.
>>>>>>>
>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>> deploy certificates to users.
>>>>>>>
>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>> Public Key Infrastructure
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>
>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>> Server 2003
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>
>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>
>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>
>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>
>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>> If you enable that option the users will have to authenticate with
>>>>>>>>> user's certificate. This also means that you will have to deploy
>>>>>>>>> client certificate to any users that will need to access your web
>>>>>>>>> server.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>>> mean? How can
>>>>>>>>>> it be initiated?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
> But would it work if I just make a certificate with SelfSSL, then check
> require secure channel (ssl) and require 128-bit encryption. Choose for
> require client certificates.
> Then in client certificate mapping say when x and/or y are in the client
> certificate, then they are logged on as a user automatically?
>
> Then I send them the exported certificate and they install it. When they
> would then go to my site would they be logged on automatically or would
> they have to chose a certificate?
>
> Would this work?
>
> Fré
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>> How secure would be that -- if you send clients certificates (with
>> private keys) in an e-mail. What if someone else gets that e-mail (it
>> doesn't matter how) or hold of those private keys?
>> Now in my opinion this would be less secure then telling users passwords
>> over the phone.
>>
>> Regarding trusting your CA. Yes, you could do that. Now the question is
>> will users be allowed to import CA chain onto their computers? E.g. in
>> some of my environments users don't have that kind of permissions on
>> their computers. What will happen if user formats their computer? How
>> much work do you expect on supporting these users (it depends on number
>> of users). You could talk to administrators of these external users for
>> some help. They could deploy CA chain using group policy.
>>
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>I read that a client certificate can be made by exporting the certificate
>>>on the server. If I give that certificate to the clients, by just
>>>e-mailing them, and they install the certificate, will they trust my CA
>>>server then?
>>> Or am I forgetting something?
>>>
>>> Fré
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>> Or how long would you think this would take to set up?
>>>>
>>>> Fré
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>> So it is impossible :-)
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>> Then you have a lot of work to do. If you want to set up your own CA
>>>>>> server (related articles are listed in my previous article) you have
>>>>>> to think how users (or you) will safely generate requests and then
>>>>>> how you will transfer certificates with private key to users (again
>>>>>> in safe way). In the end you will also have to think how to make
>>>>>> these users trust you CA server.
>>>>>>
>>>>>> This is something that you can avoid if you use commercial CA server
>>>>>> like Verisign or Thawte since users already trust these CA servers.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>> The users will not be part of the domain.
>>>>>>>
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>> It depends. Would these users be part of your domain? If yes then
>>>>>>>> the best answer is by using Microsoft Enterprise CA server.
>>>>>>>>
>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>> deploy certificates to users.
>>>>>>>>
>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>> Public Key Infrastructure
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>
>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>> Server 2003
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>
>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>
>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>
>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>
>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>> with user's certificate. This also means that you will have to
>>>>>>>>>> deploy client certificate to any users that will need to access
>>>>>>>>>> your web server.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>> Hi,
>>>>>>>>>>>
>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>>>> mean? How can
>>>>>>>>>>> it be initiated?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
> As far as I understand your scenario -- this would not work. Certificates
> have their intended purpose and in this case they would be different. For
> the server the intended purpose is "Ensures the identity of a remote
> computer" and for the client authentication to work it must be "Proves
> your identity to a remote computer".
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>> But would it work if I just make a certificate with SelfSSL, then check
>> require secure channel (ssl) and require 128-bit encryption. Choose for
>> require client certificates.
>> Then in client certificate mapping say when x and/or y are in the client
>> certificate, then they are logged on as a user automatically?
>>
>> Then I send them the exported certificate and they install it. When they
>> would then go to my site would they be logged on automatically or would
>> they have to chose a certificate?
>>
>> Would this work?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>> How secure would be that -- if you send clients certificates (with
>>> private keys) in an e-mail. What if someone else gets that e-mail (it
>>> doesn't matter how) or hold of those private keys?
>>> Now in my opinion this would be less secure then telling users passwords
>>> over the phone.
>>>
>>> Regarding trusting your CA. Yes, you could do that. Now the question is
>>> will users be allowed to import CA chain onto their computers? E.g. in
>>> some of my environments users don't have that kind of permissions on
>>> their computers. What will happen if user formats their computer? How
>>> much work do you expect on supporting these users (it depends on number
>>> of users). You could talk to administrators of these external users for
>>> some help. They could deploy CA chain using group policy.
>>>
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>I read that a client certificate can be made by exporting the
>>>>certificate on the server. If I give that certificate to the clients, by
>>>>just e-mailing them, and they install the certificate, will they trust
>>>>my CA server then?
>>>> Or am I forgetting something?
>>>>
>>>> Fré
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>> Or how long would you think this would take to set up?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>> So it is impossible :-)
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>> Then you have a lot of work to do. If you want to set up your own CA
>>>>>>> server (related articles are listed in my previous article) you have
>>>>>>> to think how users (or you) will safely generate requests and then
>>>>>>> how you will transfer certificates with private key to users (again
>>>>>>> in safe way). In the end you will also have to think how to make
>>>>>>> these users trust you CA server.
>>>>>>>
>>>>>>> This is something that you can avoid if you use commercial CA server
>>>>>>> like Verisign or Thawte since users already trust these CA servers.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>> The users will not be part of the domain.
>>>>>>>>
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> It depends. Would these users be part of your domain? If yes then
>>>>>>>>> the best answer is by using Microsoft Enterprise CA server.
>>>>>>>>>
>>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>>> deploy certificates to users.
>>>>>>>>>
>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>> Public Key Infrastructure
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>
>>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>>> Server 2003
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>
>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>> 2003
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>
>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>
>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>
>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>>> with user's certificate. This also means that you will have to
>>>>>>>>>>> deploy client certificate to any users that will need to access
>>>>>>>>>>> your web server.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> Hi,
>>>>>>>>>>>>
>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>>>>> mean? How can
>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>I need to have it working by tomorrow, can it work without VeriSign?
> If it can't by tomorrow, what is the soonest I could get it working?
>
> Fré
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>> As far as I understand your scenario -- this would not work. Certificates
>> have their intended purpose and in this case they would be different. For
>> the server the intended purpose is "Ensures the identity of a remote
>> computer" and for the client authentication to work it must be "Proves
>> your identity to a remote computer".
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>> But would it work if I just make a certificate with SelfSSL, then check
>>> require secure channel (ssl) and require 128-bit encryption. Choose for
>>> require client certificates.
>>> Then in client certificate mapping say when x and/or y are in the client
>>> certificate, then they are logged on as a user automatically?
>>>
>>> Then I send them the exported certificate and they install it. When they
>>> would then go to my site would they be logged on automatically or would
>>> they have to chose a certificate?
>>>
>>> Would this work?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>> How secure would be that -- if you send clients certificates (with
>>>> private keys) in an e-mail. What if someone else gets that e-mail (it
>>>> doesn't matter how) or hold of those private keys?
>>>> Now in my opinion this would be less secure then telling users
>>>> passwords over the phone.
>>>>
>>>> Regarding trusting your CA. Yes, you could do that. Now the question is
>>>> will users be allowed to import CA chain onto their computers? E.g. in
>>>> some of my environments users don't have that kind of permissions on
>>>> their computers. What will happen if user formats their computer? How
>>>> much work do you expect on supporting these users (it depends on number
>>>> of users). You could talk to administrators of these external users for
>>>> some help. They could deploy CA chain using group policy.
>>>>
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>I read that a client certificate can be made by exporting the
>>>>>certificate on the server. If I give that certificate to the clients,
>>>>>by just e-mailing them, and they install the certificate, will they
>>>>>trust my CA server then?
>>>>> Or am I forgetting something?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>> Or how long would you think this would take to set up?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>> So it is impossible :-)
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>> Then you have a lot of work to do. If you want to set up your own
>>>>>>>> CA server (related articles are listed in my previous article) you
>>>>>>>> have to think how users (or you) will safely generate requests and
>>>>>>>> then how you will transfer certificates with private key to users
>>>>>>>> (again in safe way). In the end you will also have to think how to
>>>>>>>> make these users trust you CA server.
>>>>>>>>
>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>> server like Verisign or Thawte since users already trust these CA
>>>>>>>> servers.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> It depends. Would these users be part of your domain? If yes then
>>>>>>>>>> the best answer is by using Microsoft Enterprise CA server.
>>>>>>>>>>
>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>>>> deploy certificates to users.
>>>>>>>>>>
>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>
>>>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>>>> Server 2003
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>
>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>> 2003
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>
>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>
>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>
>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>>>> with user's certificate. This also means that you will have to
>>>>>>>>>>>> deploy client certificate to any users that will need to access
>>>>>>>>>>>> your web server.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the site.
>>>>>>>>>>>>> I see the option 'require client certificates', what does that
>>>>>>>>>>>>> mean? How can
>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
> Yes, it can work without VeriSign, but you need two different types of
> certificates. First one is for SSL protection of your server and this one
> can be generated by SelfSSL. Second type of certificates that you need is
> user certificate which can't be generated by SelfSSL, but can be issued by
> any CA server (it can be your own CA server or Thawte or VeriSign or any
> other CA server).
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>I need to have it working by tomorrow, can it work without VeriSign?
>> If it can't by tomorrow, what is the soonest I could get it working?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>> As far as I understand your scenario -- this would not work.
>>> Certificates have their intended purpose and in this case they would be
>>> different. For the server the intended purpose is "Ensures the identity
>>> of a remote computer" and for the client authentication to work it must
>>> be "Proves your identity to a remote computer".
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>> But would it work if I just make a certificate with SelfSSL, then check
>>>> require secure channel (ssl) and require 128-bit encryption. Choose for
>>>> require client certificates.
>>>> Then in client certificate mapping say when x and/or y are in the
>>>> client certificate, then they are logged on as a user automatically?
>>>>
>>>> Then I send them the exported certificate and they install it. When
>>>> they would then go to my site would they be logged on automatically or
>>>> would they have to chose a certificate?
>>>>
>>>> Would this work?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>> How secure would be that -- if you send clients certificates (with
>>>>> private keys) in an e-mail. What if someone else gets that e-mail (it
>>>>> doesn't matter how) or hold of those private keys?
>>>>> Now in my opinion this would be less secure then telling users
>>>>> passwords over the phone.
>>>>>
>>>>> Regarding trusting your CA. Yes, you could do that. Now the question
>>>>> is will users be allowed to import CA chain onto their computers? E.g.
>>>>> in some of my environments users don't have that kind of permissions
>>>>> on their computers. What will happen if user formats their computer?
>>>>> How much work do you expect on supporting these users (it depends on
>>>>> number of users). You could talk to administrators of these external
>>>>> users for some help. They could deploy CA chain using group policy.
>>>>>
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>I read that a client certificate can be made by exporting the
>>>>>>certificate on the server. If I give that certificate to the clients,
>>>>>>by just e-mailing them, and they install the certificate, will they
>>>>>>trust my CA server then?
>>>>>> Or am I forgetting something?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>> Or how long would you think this would take to set up?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>> So it is impossible :-)
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> Then you have a lot of work to do. If you want to set up your own
>>>>>>>>> CA server (related articles are listed in my previous article) you
>>>>>>>>> have to think how users (or you) will safely generate requests and
>>>>>>>>> then how you will transfer certificates with private key to users
>>>>>>>>> (again in safe way). In the end you will also have to think how to
>>>>>>>>> make these users trust you CA server.
>>>>>>>>>
>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>> server like Verisign or Thawte since users already trust these CA
>>>>>>>>> servers.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA server.
>>>>>>>>>>>
>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>>>>> deploy certificates to users.
>>>>>>>>>>>
>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>
>>>>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>>>>> Server 2003
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>
>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>>> 2003
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>
>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>
>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>
>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>>>>> with user's certificate. This also means that you will have to
>>>>>>>>>>>>> deploy client certificate to any users that will need to
>>>>>>>>>>>>> access your web server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
> Is the following method, the right one toe generate the user certificate?
> - Go to internet explorer on the server
> - choose for tools --> internet options
> - go to tab 'content'
> - click on 'certificates'
> - go to tab 'trusted root certification authorities'
> - go to the certificate
> - choose for 'export'
> - follow the wizard with default values
>
> Then the file is located in the selected folder.
>
> Then I would send this file to the user (just the file or is something
> else needed?)
>
> Then the user has to import the certificate in his 'Trusted root
> certification authorities'
>
> And then it would have to work?
>
> Fré
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>> Yes, it can work without VeriSign, but you need two different types of
>> certificates. First one is for SSL protection of your server and this one
>> can be generated by SelfSSL. Second type of certificates that you need is
>> user certificate which can't be generated by SelfSSL, but can be issued
>> by any CA server (it can be your own CA server or Thawte or VeriSign or
>> any other CA server).
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>I need to have it working by tomorrow, can it work without VeriSign?
>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>> As far as I understand your scenario -- this would not work.
>>>> Certificates have their intended purpose and in this case they would be
>>>> different. For the server the intended purpose is "Ensures the identity
>>>> of a remote computer" and for the client authentication to work it must
>>>> be "Proves your identity to a remote computer".
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>> Choose for require client certificates.
>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>> client certificate, then they are logged on as a user automatically?
>>>>>
>>>>> Then I send them the exported certificate and they install it. When
>>>>> they would then go to my site would they be logged on automatically or
>>>>> would they have to chose a certificate?
>>>>>
>>>>> Would this work?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>> private keys) in an e-mail. What if someone else gets that e-mail (it
>>>>>> doesn't matter how) or hold of those private keys?
>>>>>> Now in my opinion this would be less secure then telling users
>>>>>> passwords over the phone.
>>>>>>
>>>>>> Regarding trusting your CA. Yes, you could do that. Now the question
>>>>>> is will users be allowed to import CA chain onto their computers?
>>>>>> E.g. in some of my environments users don't have that kind of
>>>>>> permissions on their computers. What will happen if user formats
>>>>>> their computer? How much work do you expect on supporting these users
>>>>>> (it depends on number of users). You could talk to administrators of
>>>>>> these external users for some help. They could deploy CA chain using
>>>>>> group policy.
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>certificate on the server. If I give that certificate to the clients,
>>>>>>>by just e-mailing them, and they install the certificate, will they
>>>>>>>trust my CA server then?
>>>>>>> Or am I forgetting something?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>> So it is impossible :-)
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> Then you have a lot of work to do. If you want to set up your own
>>>>>>>>>> CA server (related articles are listed in my previous article)
>>>>>>>>>> you have to think how users (or you) will safely generate
>>>>>>>>>> requests and then how you will transfer certificates with private
>>>>>>>>>> key to users (again in safe way). In the end you will also have
>>>>>>>>>> to think how to make these users trust you CA server.
>>>>>>>>>>
>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>> server like Verisign or Thawte since users already trust these CA
>>>>>>>>>> servers.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>> server.
>>>>>>>>>>>>
>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how to
>>>>>>>>>>>> deploy certificates to users.
>>>>>>>>>>>>
>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> Implementing and Administering Certificate Templates in Windows
>>>>>>>>>>>> Server 2003
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>>>> 2003
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>> If you enable that option the users will have to authenticate
>>>>>>>>>>>>>> with user's certificate. This also means that you will have
>>>>>>>>>>>>>> to deploy client certificate to any users that will need to
>>>>>>>>>>>>>> access your web server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
> No. This would only make users trust CA server which certificate you just
> exported. This would not allow users to authenticate against your IIS.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>> Is the following method, the right one toe generate the user certificate?
>> - Go to internet explorer on the server
>> - choose for tools --> internet options
>> - go to tab 'content'
>> - click on 'certificates'
>> - go to tab 'trusted root certification authorities'
>> - go to the certificate
>> - choose for 'export'
>> - follow the wizard with default values
>>
>> Then the file is located in the selected folder.
>>
>> Then I would send this file to the user (just the file or is something
>> else needed?)
>>
>> Then the user has to import the certificate in his 'Trusted root
>> certification authorities'
>>
>> And then it would have to work?
>>
>> Fré
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>> Yes, it can work without VeriSign, but you need two different types of
>>> certificates. First one is for SSL protection of your server and this
>>> one can be generated by SelfSSL. Second type of certificates that you
>>> need is user certificate which can't be generated by SelfSSL, but can be
>>> issued by any CA server (it can be your own CA server or Thawte or
>>> VeriSign or any other CA server).
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>> As far as I understand your scenario -- this would not work.
>>>>> Certificates have their intended purpose and in this case they would
>>>>> be different. For the server the intended purpose is "Ensures the
>>>>> identity of a remote computer" and for the client authentication to
>>>>> work it must be "Proves your identity to a remote computer".
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>> Choose for require client certificates.
>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>> client certificate, then they are logged on as a user automatically?
>>>>>>
>>>>>> Then I send them the exported certificate and they install it. When
>>>>>> they would then go to my site would they be logged on automatically
>>>>>> or would they have to chose a certificate?
>>>>>>
>>>>>> Would this work?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>> passwords over the phone.
>>>>>>>
>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the question
>>>>>>> is will users be allowed to import CA chain onto their computers?
>>>>>>> E.g. in some of my environments users don't have that kind of
>>>>>>> permissions on their computers. What will happen if user formats
>>>>>>> their computer? How much work do you expect on supporting these
>>>>>>> users (it depends on number of users). You could talk to
>>>>>>> administrators of these external users for some help. They could
>>>>>>> deploy CA chain using group policy.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>will they trust my CA server then?
>>>>>>>> Or am I forgetting something?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>> server.
>>>>>>>>>>>
>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>> CA servers.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>> server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>>>>> 2003
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>> you will have to deploy client certificate to any users that
>>>>>>>>>>>>>>> will need to access your web server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:eySNAZEdGHA.5048@TK2MSFTNGP04.phx.gbl...
> Then what do I have to do???
>
> Fré
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>> No. This would only make users trust CA server which certificate you just
>> exported. This would not allow users to authenticate against your IIS.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>> Is the following method, the right one toe generate the user
>>> certificate?
>>> - Go to internet explorer on the server
>>> - choose for tools --> internet options
>>> - go to tab 'content'
>>> - click on 'certificates'
>>> - go to tab 'trusted root certification authorities'
>>> - go to the certificate
>>> - choose for 'export'
>>> - follow the wizard with default values
>>>
>>> Then the file is located in the selected folder.
>>>
>>> Then I would send this file to the user (just the file or is something
>>> else needed?)
>>>
>>> Then the user has to import the certificate in his 'Trusted root
>>> certification authorities'
>>>
>>> And then it would have to work?
>>>
>>> Fré
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>> Yes, it can work without VeriSign, but you need two different types of
>>>> certificates. First one is for SSL protection of your server and this
>>>> one can be generated by SelfSSL. Second type of certificates that you
>>>> need is user certificate which can't be generated by SelfSSL, but can
>>>> be issued by any CA server (it can be your own CA server or Thawte or
>>>> VeriSign or any other CA server).
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>> As far as I understand your scenario -- this would not work.
>>>>>> Certificates have their intended purpose and in this case they would
>>>>>> be different. For the server the intended purpose is "Ensures the
>>>>>> identity of a remote computer" and for the client authentication to
>>>>>> work it must be "Proves your identity to a remote computer".
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>> Choose for require client certificates.
>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>> client certificate, then they are logged on as a user automatically?
>>>>>>>
>>>>>>> Then I send them the exported certificate and they install it. When
>>>>>>> they would then go to my site would they be logged on automatically
>>>>>>> or would they have to chose a certificate?
>>>>>>>
>>>>>>> Would this work?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>> passwords over the phone.
>>>>>>>>
>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>> administrators of these external users for some help. They could
>>>>>>>> deploy CA chain using group policy.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>>will they trust my CA server then?
>>>>>>>>> Or am I forgetting something?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>> server.
>>>>>>>>>>>>
>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>>> CA servers.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>>> you will have to deploy client certificate to any users
>>>>>>>>>>>>>>>> that will need to access your web server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:OJeq9AFdGHA.2188@TK2MSFTNGP04.phx.gbl...
> Hi, from one of my previous posts...
>
> You can set up your own CA server and issue client authentication
> certficates on it. When doing this you have to think how users (or you)
> will safely generate requests and then how you will transfer certificates
> with private key to users (again in safe way). In the end you will also
> have to think how to make these users trust you CA server.
>
> How to set up your CA server. Here are important articles on the subject.
>
> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
> Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
> Implementing and Administering Certificate Templates in Windows Server
> 2003
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>
> PKI Enhancements in Windows XP Professional and Windows Server 2003
> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>
> Windows Server 2003 PKI Operations Guide
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>
> Managing a Windows Server 2003 Public Key Infrastructure
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>
> Advanced Certificate Enrollment and Management
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>
> When you will think about setting up your own CA -- you will have to
> answer quite a few questions... Here are some of them:
>
> How many users?
> What other purposes would this CA be used for.
> How will you deploy user certificates
> How and where will you publish CRL (Certificate Revocation List)
> How long will certificate be valid for
> How long will CA service certificates be valid for
> How often will you publish CRL
> What devices will use your CA
> All this answers will impact your CA design.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:eySNAZEdGHA.5048@TK2MSFTNGP04.phx.gbl...
>> Then what do I have to do???
>>
>> Fré
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>> No. This would only make users trust CA server which certificate you
>>> just exported. This would not allow users to authenticate against your
>>> IIS.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>> Is the following method, the right one toe generate the user
>>>> certificate?
>>>> - Go to internet explorer on the server
>>>> - choose for tools --> internet options
>>>> - go to tab 'content'
>>>> - click on 'certificates'
>>>> - go to tab 'trusted root certification authorities'
>>>> - go to the certificate
>>>> - choose for 'export'
>>>> - follow the wizard with default values
>>>>
>>>> Then the file is located in the selected folder.
>>>>
>>>> Then I would send this file to the user (just the file or is something
>>>> else needed?)
>>>>
>>>> Then the user has to import the certificate in his 'Trusted root
>>>> certification authorities'
>>>>
>>>> And then it would have to work?
>>>>
>>>> Fré
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>> Yes, it can work without VeriSign, but you need two different types of
>>>>> certificates. First one is for SSL protection of your server and this
>>>>> one can be generated by SelfSSL. Second type of certificates that you
>>>>> need is user certificate which can't be generated by SelfSSL, but can
>>>>> be issued by any CA server (it can be your own CA server or Thawte or
>>>>> VeriSign or any other CA server).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>> Certificates have their intended purpose and in this case they would
>>>>>>> be different. For the server the intended purpose is "Ensures the
>>>>>>> identity of a remote computer" and for the client authentication to
>>>>>>> work it must be "Proves your identity to a remote computer".
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>>> Choose for require client certificates.
>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>> automatically?
>>>>>>>>
>>>>>>>> Then I send them the exported certificate and they install it. When
>>>>>>>> they would then go to my site would they be logged on automatically
>>>>>>>> or would they have to chose a certificate?
>>>>>>>>
>>>>>>>> Would this work?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>> passwords over the phone.
>>>>>>>>>
>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>>> administrators of these external users for some help. They could
>>>>>>>>> deploy CA chain using group policy.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>>>will they trust my CA server then?
>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>>> server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>>>> CA servers.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>>>> you will have to deploy client certificate to any users
>>>>>>>>>>>>>>>>> that will need to access your web server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:e8YgvqMdGHA.1856@TK2MSFTNGP03.phx.gbl...
> This would take to long, I'm not going to use SSL then. Thanks for all the
> information Miha.
>
> Fré
>
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:OJeq9AFdGHA.2188@TK2MSFTNGP04.phx.gbl...
>> Hi, from one of my previous posts...
>>
>> You can set up your own CA server and issue client authentication
>> certficates on it. When doing this you have to think how users (or you)
>> will safely generate requests and then how you will transfer certificates
>> with private key to users (again in safe way). In the end you will also
>> have to think how to make these users trust you CA server.
>>
>> How to set up your CA server. Here are important articles on the subject.
>>
>> Best Practices for Implementing a Microsoft Windows Server2003 Public Key
>> Infrastructure
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>
>> Implementing and Administering Certificate Templates in Windows Server
>> 2003
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>
>> PKI Enhancements in Windows XP Professional and Windows Server 2003
>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>
>> Windows Server 2003 PKI Operations Guide
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>
>> Managing a Windows Server 2003 Public Key Infrastructure
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>
>> Advanced Certificate Enrollment and Management
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>
>> When you will think about setting up your own CA -- you will have to
>> answer quite a few questions... Here are some of them:
>>
>> How many users?
>> What other purposes would this CA be used for.
>> How will you deploy user certificates
>> How and where will you publish CRL (Certificate Revocation List)
>> How long will certificate be valid for
>> How long will CA service certificates be valid for
>> How often will you publish CRL
>> What devices will use your CA
>> All this answers will impact your CA design.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>>
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:eySNAZEdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>> Then what do I have to do???
>>>
>>> Fré
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>> No. This would only make users trust CA server which certificate you
>>>> just exported. This would not allow users to authenticate against your
>>>> IIS.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>> Is the following method, the right one toe generate the user
>>>>> certificate?
>>>>> - Go to internet explorer on the server
>>>>> - choose for tools --> internet options
>>>>> - go to tab 'content'
>>>>> - click on 'certificates'
>>>>> - go to tab 'trusted root certification authorities'
>>>>> - go to the certificate
>>>>> - choose for 'export'
>>>>> - follow the wizard with default values
>>>>>
>>>>> Then the file is located in the selected folder.
>>>>>
>>>>> Then I would send this file to the user (just the file or is something
>>>>> else needed?)
>>>>>
>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>> certification authorities'
>>>>>
>>>>> And then it would have to work?
>>>>>
>>>>> Fré
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>> Yes, it can work without VeriSign, but you need two different types
>>>>>> of certificates. First one is for SSL protection of your server and
>>>>>> this one can be generated by SelfSSL. Second type of certificates
>>>>>> that you need is user certificate which can't be generated by
>>>>>> SelfSSL, but can be issued by any CA server (it can be your own CA
>>>>>> server or Thawte or VeriSign or any other CA server).
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>> would be different. For the server the intended purpose is "Ensures
>>>>>>>> the identity of a remote computer" and for the client
>>>>>>>> authentication to work it must be "Proves your identity to a remote
>>>>>>>> computer".
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>>>> Choose for require client certificates.
>>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>>> automatically?
>>>>>>>>>
>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>
>>>>>>>>> Would this work?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets that
>>>>>>>>>> e-mail (it doesn't matter how) or hold of those private keys?
>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>> passwords over the phone.
>>>>>>>>>>
>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>>>> administrators of these external users for some help. They could
>>>>>>>>>> deploy CA chain using group policy.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>>>> server like Verisign or Thawte since users already trust
>>>>>>>>>>>>>> these CA servers.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft Enterprise
>>>>>>>>>>>>>>>> CA server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
> No. This would only make users trust CA server which certificate you just
> exported. This would not allow users to authenticate against your IIS.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>> Is the following method, the right one toe generate the user certificate?
>> - Go to internet explorer on the server
>> - choose for tools --> internet options
>> - go to tab 'content'
>> - click on 'certificates'
>> - go to tab 'trusted root certification authorities'
>> - go to the certificate
>> - choose for 'export'
>> - follow the wizard with default values
>>
>> Then the file is located in the selected folder.
>>
>> Then I would send this file to the user (just the file or is something
>> else needed?)
>>
>> Then the user has to import the certificate in his 'Trusted root
>> certification authorities'
>>
>> And then it would have to work?
>>
>> Fré
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>> Yes, it can work without VeriSign, but you need two different types of
>>> certificates. First one is for SSL protection of your server and this
>>> one can be generated by SelfSSL. Second type of certificates that you
>>> need is user certificate which can't be generated by SelfSSL, but can be
>>> issued by any CA server (it can be your own CA server or Thawte or
>>> VeriSign or any other CA server).
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>> As far as I understand your scenario -- this would not work.
>>>>> Certificates have their intended purpose and in this case they would
>>>>> be different. For the server the intended purpose is "Ensures the
>>>>> identity of a remote computer" and for the client authentication to
>>>>> work it must be "Proves your identity to a remote computer".
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>> Choose for require client certificates.
>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>> client certificate, then they are logged on as a user automatically?
>>>>>>
>>>>>> Then I send them the exported certificate and they install it. When
>>>>>> they would then go to my site would they be logged on automatically
>>>>>> or would they have to chose a certificate?
>>>>>>
>>>>>> Would this work?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>> passwords over the phone.
>>>>>>>
>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the question
>>>>>>> is will users be allowed to import CA chain onto their computers?
>>>>>>> E.g. in some of my environments users don't have that kind of
>>>>>>> permissions on their computers. What will happen if user formats
>>>>>>> their computer? How much work do you expect on supporting these
>>>>>>> users (it depends on number of users). You could talk to
>>>>>>> administrators of these external users for some help. They could
>>>>>>> deploy CA chain using group policy.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>will they trust my CA server then?
>>>>>>>> Or am I forgetting something?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>> server.
>>>>>>>>>>>
>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>> CA servers.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>> server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows Server2003
>>>>>>>>>>>>> Public Key Infrastructure
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows Server
>>>>>>>>>>>>> 2003
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>> you will have to deploy client certificate to any users that
>>>>>>>>>>>>>>> will need to access your web server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
> Is it possible that the users only need the certificate and when they have
> the certificate that then they are logged on anonymous?
>
> Fré
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>> No. This would only make users trust CA server which certificate you just
>> exported. This would not allow users to authenticate against your IIS.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>> Is the following method, the right one toe generate the user
>>> certificate?
>>> - Go to internet explorer on the server
>>> - choose for tools --> internet options
>>> - go to tab 'content'
>>> - click on 'certificates'
>>> - go to tab 'trusted root certification authorities'
>>> - go to the certificate
>>> - choose for 'export'
>>> - follow the wizard with default values
>>>
>>> Then the file is located in the selected folder.
>>>
>>> Then I would send this file to the user (just the file or is something
>>> else needed?)
>>>
>>> Then the user has to import the certificate in his 'Trusted root
>>> certification authorities'
>>>
>>> And then it would have to work?
>>>
>>> Fré
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>> Yes, it can work without VeriSign, but you need two different types of
>>>> certificates. First one is for SSL protection of your server and this
>>>> one can be generated by SelfSSL. Second type of certificates that you
>>>> need is user certificate which can't be generated by SelfSSL, but can
>>>> be issued by any CA server (it can be your own CA server or Thawte or
>>>> VeriSign or any other CA server).
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>> As far as I understand your scenario -- this would not work.
>>>>>> Certificates have their intended purpose and in this case they would
>>>>>> be different. For the server the intended purpose is "Ensures the
>>>>>> identity of a remote computer" and for the client authentication to
>>>>>> work it must be "Proves your identity to a remote computer".
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>> Choose for require client certificates.
>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>> client certificate, then they are logged on as a user automatically?
>>>>>>>
>>>>>>> Then I send them the exported certificate and they install it. When
>>>>>>> they would then go to my site would they be logged on automatically
>>>>>>> or would they have to chose a certificate?
>>>>>>>
>>>>>>> Would this work?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>> passwords over the phone.
>>>>>>>>
>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>> administrators of these external users for some help. They could
>>>>>>>> deploy CA chain using group policy.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>>will they trust my CA server then?
>>>>>>>>> Or am I forgetting something?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>> server.
>>>>>>>>>>>>
>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>>> CA servers.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>>> you will have to deploy client certificate to any users
>>>>>>>>>>>>>>>> that will need to access your web server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>I don't really understand this. If they have the certificates -- why would
>they logon anonymously?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>> Is it possible that the users only need the certificate and when they
>> have the certificate that then they are logged on anonymous?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>> No. This would only make users trust CA server which certificate you
>>> just exported. This would not allow users to authenticate against your
>>> IIS.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>> Is the following method, the right one toe generate the user
>>>> certificate?
>>>> - Go to internet explorer on the server
>>>> - choose for tools --> internet options
>>>> - go to tab 'content'
>>>> - click on 'certificates'
>>>> - go to tab 'trusted root certification authorities'
>>>> - go to the certificate
>>>> - choose for 'export'
>>>> - follow the wizard with default values
>>>>
>>>> Then the file is located in the selected folder.
>>>>
>>>> Then I would send this file to the user (just the file or is something
>>>> else needed?)
>>>>
>>>> Then the user has to import the certificate in his 'Trusted root
>>>> certification authorities'
>>>>
>>>> And then it would have to work?
>>>>
>>>> Fré
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>> Yes, it can work without VeriSign, but you need two different types of
>>>>> certificates. First one is for SSL protection of your server and this
>>>>> one can be generated by SelfSSL. Second type of certificates that you
>>>>> need is user certificate which can't be generated by SelfSSL, but can
>>>>> be issued by any CA server (it can be your own CA server or Thawte or
>>>>> VeriSign or any other CA server).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>> Certificates have their intended purpose and in this case they would
>>>>>>> be different. For the server the intended purpose is "Ensures the
>>>>>>> identity of a remote computer" and for the client authentication to
>>>>>>> work it must be "Proves your identity to a remote computer".
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>>> Choose for require client certificates.
>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>> automatically?
>>>>>>>>
>>>>>>>> Then I send them the exported certificate and they install it. When
>>>>>>>> they would then go to my site would they be logged on automatically
>>>>>>>> or would they have to chose a certificate?
>>>>>>>>
>>>>>>>> Would this work?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> How secure would be that -- if you send clients certificates (with
>>>>>>>>> private keys) in an e-mail. What if someone else gets that e-mail
>>>>>>>>> (it doesn't matter how) or hold of those private keys?
>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>> passwords over the phone.
>>>>>>>>>
>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>>> administrators of these external users for some help. They could
>>>>>>>>> deploy CA chain using group policy.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>clients, by just e-mailing them, and they install the certificate,
>>>>>>>>>>will they trust my CA server then?
>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>>> server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>>> server like Verisign or Thawte since users already trust these
>>>>>>>>>>>>> CA servers.
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If yes
>>>>>>>>>>>>>>> then the best answer is by using Microsoft Enterprise CA
>>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and how
>>>>>>>>>>>>>>> to deploy certificates to users.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means that
>>>>>>>>>>>>>>>>> you will have to deploy client certificate to any users
>>>>>>>>>>>>>>>>> that will need to access your web server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what does
>>>>>>>>>>>>>>>>>> that mean? How can
>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>I read your documentation and I still don't know how users can identify
>themselves to IIS when they have the certificate (I send it to them) and
>then my partner said I had to ask you this.
>
> Fré
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>I don't really understand this. If they have the certificates -- why would
>>they logon anonymously?
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>> Is it possible that the users only need the certificate and when they
>>> have the certificate that then they are logged on anonymous?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>> No. This would only make users trust CA server which certificate you
>>>> just exported. This would not allow users to authenticate against your
>>>> IIS.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>> Is the following method, the right one toe generate the user
>>>>> certificate?
>>>>> - Go to internet explorer on the server
>>>>> - choose for tools --> internet options
>>>>> - go to tab 'content'
>>>>> - click on 'certificates'
>>>>> - go to tab 'trusted root certification authorities'
>>>>> - go to the certificate
>>>>> - choose for 'export'
>>>>> - follow the wizard with default values
>>>>>
>>>>> Then the file is located in the selected folder.
>>>>>
>>>>> Then I would send this file to the user (just the file or is something
>>>>> else needed?)
>>>>>
>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>> certification authorities'
>>>>>
>>>>> And then it would have to work?
>>>>>
>>>>> Fré
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>> Yes, it can work without VeriSign, but you need two different types
>>>>>> of certificates. First one is for SSL protection of your server and
>>>>>> this one can be generated by SelfSSL. Second type of certificates
>>>>>> that you need is user certificate which can't be generated by
>>>>>> SelfSSL, but can be issued by any CA server (it can be your own CA
>>>>>> server or Thawte or VeriSign or any other CA server).
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>>> If it can't by tomorrow, what is the soonest I could get it working?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>> would be different. For the server the intended purpose is "Ensures
>>>>>>>> the identity of a remote computer" and for the client
>>>>>>>> authentication to work it must be "Proves your identity to a remote
>>>>>>>> computer".
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>>> check require secure channel (ssl) and require 128-bit encryption.
>>>>>>>>> Choose for require client certificates.
>>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>>> automatically?
>>>>>>>>>
>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>
>>>>>>>>> Would this work?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets that
>>>>>>>>>> e-mail (it doesn't matter how) or hold of those private keys?
>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>> passwords over the phone.
>>>>>>>>>>
>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>>> formats their computer? How much work do you expect on supporting
>>>>>>>>>> these users (it depends on number of users). You could talk to
>>>>>>>>>> administrators of these external users for some help. They could
>>>>>>>>>> deploy CA chain using group policy.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up your
>>>>>>>>>>>>>> own CA server (related articles are listed in my previous
>>>>>>>>>>>>>> article) you have to think how users (or you) will safely
>>>>>>>>>>>>>> generate requests and then how you will transfer certificates
>>>>>>>>>>>>>> with private key to users (again in safe way). In the end you
>>>>>>>>>>>>>> will also have to think how to make these users trust you CA
>>>>>>>>>>>>>> server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is something that you can avoid if you use commercial CA
>>>>>>>>>>>>>> server like Verisign or Thawte since users already trust
>>>>>>>>>>>>>> these CA servers.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft Enterprise
>>>>>>>>>>>>>>>> CA server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to the
>>>>>>>>>>>>>>>>>>> site.
>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> When you configure your IIS server with "Require user certificate" the
> server will tell the browser which authentication methods the web server
> supports. Now the browser will display a list of certificates that are
> available for client authentication.
>
> List would look something like this:
> http://freeweb.siol.net/mpihler/user_cert.jpg
>
> If client does not have any certificates that would enable him/her logon
> to the web server, browser will either display empty list or show the HTTP
> Error 403.7 - Forbidden: SSL client certificate is required depending on
> the browser or browser configuration.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>I read your documentation and I still don't know how users can identify
>>themselves to IIS when they have the certificate (I send it to them) and
>>then my partner said I had to ask you this.
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>I don't really understand this. If they have the certificates -- why
>>>would they logon anonymously?
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>> Is it possible that the users only need the certificate and when they
>>>> have the certificate that then they are logged on anonymous?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>> No. This would only make users trust CA server which certificate you
>>>>> just exported. This would not allow users to authenticate against your
>>>>> IIS.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>> Is the following method, the right one toe generate the user
>>>>>> certificate?
>>>>>> - Go to internet explorer on the server
>>>>>> - choose for tools --> internet options
>>>>>> - go to tab 'content'
>>>>>> - click on 'certificates'
>>>>>> - go to tab 'trusted root certification authorities'
>>>>>> - go to the certificate
>>>>>> - choose for 'export'
>>>>>> - follow the wizard with default values
>>>>>>
>>>>>> Then the file is located in the selected folder.
>>>>>>
>>>>>> Then I would send this file to the user (just the file or is
>>>>>> something else needed?)
>>>>>>
>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>> certification authorities'
>>>>>>
>>>>>> And then it would have to work?
>>>>>>
>>>>>> Fré
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>> Yes, it can work without VeriSign, but you need two different types
>>>>>>> of certificates. First one is for SSL protection of your server and
>>>>>>> this one can be generated by SelfSSL. Second type of certificates
>>>>>>> that you need is user certificate which can't be generated by
>>>>>>> SelfSSL, but can be issued by any CA server (it can be your own CA
>>>>>>> server or Thawte or VeriSign or any other CA server).
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>I need to have it working by tomorrow, can it work without VeriSign?
>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>> working?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>> remote computer".
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> But would it work if I just make a certificate with SelfSSL, then
>>>>>>>>>> check require secure channel (ssl) and require 128-bit
>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>> Then in client certificate mapping say when x and/or y are in the
>>>>>>>>>> client certificate, then they are logged on as a user
>>>>>>>>>> automatically?
>>>>>>>>>>
>>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>>
>>>>>>>>>> Would this work?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets that
>>>>>>>>>>> e-mail (it doesn't matter how) or hold of those private keys?
>>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>>> passwords over the phone.
>>>>>>>>>>>
>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>>>> computers? E.g. in some of my environments users don't have that
>>>>>>>>>>> kind of permissions on their computers. What will happen if user
>>>>>>>>>>> formats their computer? How much work do you expect on
>>>>>>>>>>> supporting these users (it depends on number of users). You
>>>>>>>>>>> could talk to administrators of these external users for some
>>>>>>>>>>> help. They could deploy CA chain using group policy.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>> previous article) you have to think how users (or you) will
>>>>>>>>>>>>>>> safely generate requests and then how you will transfer
>>>>>>>>>>>>>>> certificates with private key to users (again in safe way).
>>>>>>>>>>>>>>> In the end you will also have to think how to make these
>>>>>>>>>>>>>>> users trust you CA server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This is something that you can avoid if you use commercial
>>>>>>>>>>>>>>> CA server like Verisign or Thawte since users already trust
>>>>>>>>>>>>>>> these CA servers.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft Enterprise
>>>>>>>>>>>>>>>>> CA server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to
>>>>>>>>>>>>>>>>>>>> the site.
>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
> Don't you mean that when the list is empty that the client is disabled to
> logon to de web server?
>
> I get an empty list, but the certificate is installed on the client pc.
>
> Fré
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>> Hi,
>>
>> When you configure your IIS server with "Require user certificate" the
>> server will tell the browser which authentication methods the web server
>> supports. Now the browser will display a list of certificates that are
>> available for client authentication.
>>
>> List would look something like this:
>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>
>> If client does not have any certificates that would enable him/her logon
>> to the web server, browser will either display empty list or show the
>> HTTP Error 403.7 - Forbidden: SSL client certificate is required
>> depending on the browser or browser configuration.
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>I read your documentation and I still don't know how users can identify
>>>themselves to IIS when they have the certificate (I send it to them) and
>>>then my partner said I had to ask you this.
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>I don't really understand this. If they have the certificates -- why
>>>>would they logon anonymously?
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>> Is it possible that the users only need the certificate and when they
>>>>> have the certificate that then they are logged on anonymous?
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>> No. This would only make users trust CA server which certificate you
>>>>>> just exported. This would not allow users to authenticate against
>>>>>> your IIS.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>> Is the following method, the right one toe generate the user
>>>>>>> certificate?
>>>>>>> - Go to internet explorer on the server
>>>>>>> - choose for tools --> internet options
>>>>>>> - go to tab 'content'
>>>>>>> - click on 'certificates'
>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>> - go to the certificate
>>>>>>> - choose for 'export'
>>>>>>> - follow the wizard with default values
>>>>>>>
>>>>>>> Then the file is located in the selected folder.
>>>>>>>
>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>> something else needed?)
>>>>>>>
>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>> certification authorities'
>>>>>>>
>>>>>>> And then it would have to work?
>>>>>>>
>>>>>>> Fré
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>> Yes, it can work without VeriSign, but you need two different types
>>>>>>>> of certificates. First one is for SSL protection of your server and
>>>>>>>> this one can be generated by SelfSSL. Second type of certificates
>>>>>>>> that you need is user certificate which can't be generated by
>>>>>>>> SelfSSL, but can be issued by any CA server (it can be your own CA
>>>>>>>> server or Thawte or VeriSign or any other CA server).
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>VeriSign?
>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>> working?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>>> remote computer".
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>> Then in client certificate mapping say when x and/or y are in
>>>>>>>>>>> the client certificate, then they are logged on as a user
>>>>>>>>>>> automatically?
>>>>>>>>>>>
>>>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>>>
>>>>>>>>>>> Would this work?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets
>>>>>>>>>>>> that e-mail (it doesn't matter how) or hold of those private
>>>>>>>>>>>> keys?
>>>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>>>> passwords over the phone.
>>>>>>>>>>>>
>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>> question is will users be allowed to import CA chain onto their
>>>>>>>>>>>> computers? E.g. in some of my environments users don't have
>>>>>>>>>>>> that kind of permissions on their computers. What will happen
>>>>>>>>>>>> if user formats their computer? How much work do you expect on
>>>>>>>>>>>> supporting these users (it depends on number of users). You
>>>>>>>>>>>> could talk to administrators of these external users for some
>>>>>>>>>>>> help. They could deploy CA chain using group policy.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>> message news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>>> previous article) you have to think how users (or you) will
>>>>>>>>>>>>>>>> safely generate requests and then how you will transfer
>>>>>>>>>>>>>>>> certificates with private key to users (again in safe way).
>>>>>>>>>>>>>>>> In the end you will also have to think how to make these
>>>>>>>>>>>>>>>> users trust you CA server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This is something that you can avoid if you use commercial
>>>>>>>>>>>>>>>> CA server like Verisign or Thawte since users already trust
>>>>>>>>>>>>>>>> these CA servers.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft Enterprise
>>>>>>>>>>>>>>>>>> CA server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to
>>>>>>>>>>>>>>>>>>>>> the site.
>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
> Hi,
>
> Yes -- absolutely. Client will not be able to access the server if he/she
> doesn't have a certificate.
>
> You say that you have the certificate. Which one? Does it allow client
> logon (Does it have intending purpose "Proves your identity to a remote
> computer". Do you have the private key for this certificate? Where is
> stored this certificate on your computer (in which certificate store).
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>> Don't you mean that when the list is empty that the client is disabled to
>> logon to de web server?
>>
>> I get an empty list, but the certificate is installed on the client pc.
>>
>> Fré
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>> Hi,
>>>
>>> When you configure your IIS server with "Require user certificate" the
>>> server will tell the browser which authentication methods the web server
>>> supports. Now the browser will display a list of certificates that are
>>> available for client authentication.
>>>
>>> List would look something like this:
>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>
>>> If client does not have any certificates that would enable him/her logon
>>> to the web server, browser will either display empty list or show the
>>> HTTP Error 403.7 - Forbidden: SSL client certificate is required
>>> depending on the browser or browser configuration.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>I read your documentation and I still don't know how users can identify
>>>>themselves to IIS when they have the certificate (I send it to them) and
>>>>then my partner said I had to ask you this.
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>I don't really understand this. If they have the certificates -- why
>>>>>would they logon anonymously?
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>> Is it possible that the users only need the certificate and when they
>>>>>> have the certificate that then they are logged on anonymous?
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>> No. This would only make users trust CA server which certificate you
>>>>>>> just exported. This would not allow users to authenticate against
>>>>>>> your IIS.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>> certificate?
>>>>>>>> - Go to internet explorer on the server
>>>>>>>> - choose for tools --> internet options
>>>>>>>> - go to tab 'content'
>>>>>>>> - click on 'certificates'
>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>> - go to the certificate
>>>>>>>> - choose for 'export'
>>>>>>>> - follow the wizard with default values
>>>>>>>>
>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>
>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>> something else needed?)
>>>>>>>>
>>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>>> certification authorities'
>>>>>>>>
>>>>>>>> And then it would have to work?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>> server and this one can be generated by SelfSSL. Second type of
>>>>>>>>> certificates that you need is user certificate which can't be
>>>>>>>>> generated by SelfSSL, but can be issued by any CA server (it can
>>>>>>>>> be your own CA server or Thawte or VeriSign or any other CA
>>>>>>>>> server).
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>VeriSign?
>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>> working?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>>>> remote computer".
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are in
>>>>>>>>>>>> the client certificate, then they are logged on as a user
>>>>>>>>>>>> automatically?
>>>>>>>>>>>>
>>>>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>>>>
>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets
>>>>>>>>>>>>> that e-mail (it doesn't matter how) or hold of those private
>>>>>>>>>>>>> keys?
>>>>>>>>>>>>> Now in my opinion this would be less secure then telling users
>>>>>>>>>>>>> passwords over the phone.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>>> question is will users be allowed to import CA chain onto
>>>>>>>>>>>>> their computers? E.g. in some of my environments users don't
>>>>>>>>>>>>> have that kind of permissions on their computers. What will
>>>>>>>>>>>>> happen if user formats their computer? How much work do you
>>>>>>>>>>>>> expect on supporting these users (it depends on number of
>>>>>>>>>>>>> users). You could talk to administrators of these external
>>>>>>>>>>>>> users for some help. They could deploy CA chain using group
>>>>>>>>>>>>> policy.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>> message news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>>>> previous article) you have to think how users (or you)
>>>>>>>>>>>>>>>>> will safely generate requests and then how you will
>>>>>>>>>>>>>>>>> transfer certificates with private key to users (again in
>>>>>>>>>>>>>>>>> safe way). In the end you will also have to think how to
>>>>>>>>>>>>>>>>> make these users trust you CA server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This is something that you can avoid if you use commercial
>>>>>>>>>>>>>>>>> CA server like Verisign or Thawte since users already
>>>>>>>>>>>>>>>>> trust these CA servers.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain? If
>>>>>>>>>>>>>>>>>>> yes then the best answer is by using Microsoft
>>>>>>>>>>>>>>>>>>> Enterprise CA server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA and
>>>>>>>>>>>>>>>>>>> how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to any
>>>>>>>>>>>>>>>>>>>>> users that will need to access your web server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to
>>>>>>>>>>>>>>>>>>>>>> the site.
>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> The certificate is intended for the following purpose(s):
> - Ensures the identity of a remote computer
> - All issuance policies
>
> So it doesnt have the intending purpose "Proves your identity to a remote
> computer". Is there an option in SelfSSL that I have to use so that it
> does have the intending purpose, or what can I do so that it has it?
>
> Fré
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>> Hi,
>>
>> Yes -- absolutely. Client will not be able to access the server if he/she
>> doesn't have a certificate.
>>
>> You say that you have the certificate. Which one? Does it allow client
>> logon (Does it have intending purpose "Proves your identity to a remote
>> computer". Do you have the private key for this certificate? Where is
>> stored this certificate on your computer (in which certificate store).
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>> Don't you mean that when the list is empty that the client is disabled
>>> to logon to de web server?
>>>
>>> I get an empty list, but the certificate is installed on the client pc.
>>>
>>> Fré
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> When you configure your IIS server with "Require user certificate" the
>>>> server will tell the browser which authentication methods the web
>>>> server supports. Now the browser will display a list of certificates
>>>> that are available for client authentication.
>>>>
>>>> List would look something like this:
>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>
>>>> If client does not have any certificates that would enable him/her
>>>> logon to the web server, browser will either display empty list or show
>>>> the HTTP Error 403.7 - Forbidden: SSL client certificate is required
>>>> depending on the browser or browser configuration.
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>I read your documentation and I still don't know how users can identify
>>>>>themselves to IIS when they have the certificate (I send it to them)
>>>>>and then my partner said I had to ask you this.
>>>>>
>>>>> Fré
>>>>>
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>I don't really understand this. If they have the certificates -- why
>>>>>>would they logon anonymously?
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>> against your IIS.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>> certificate?
>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>> - choose for tools --> internet options
>>>>>>>>> - go to tab 'content'
>>>>>>>>> - click on 'certificates'
>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>> - go to the certificate
>>>>>>>>> - choose for 'export'
>>>>>>>>> - follow the wizard with default values
>>>>>>>>>
>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>
>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>> something else needed?)
>>>>>>>>>
>>>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>>>> certification authorities'
>>>>>>>>>
>>>>>>>>> And then it would have to work?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>> server and this one can be generated by SelfSSL. Second type of
>>>>>>>>>> certificates that you need is user certificate which can't be
>>>>>>>>>> generated by SelfSSL, but can be issued by any CA server (it can
>>>>>>>>>> be your own CA server or Thawte or VeriSign or any other CA
>>>>>>>>>> server).
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>VeriSign?
>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>> working?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>>
>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>>>>> remote computer".
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are in
>>>>>>>>>>>>> the client certificate, then they are logged on as a user
>>>>>>>>>>>>> automatically?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Then I send them the exported certificate and they install it.
>>>>>>>>>>>>> When they would then go to my site would they be logged on
>>>>>>>>>>>>> automatically or would they have to chose a certificate?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets
>>>>>>>>>>>>>> that e-mail (it doesn't matter how) or hold of those private
>>>>>>>>>>>>>> keys?
>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>>>> question is will users be allowed to import CA chain onto
>>>>>>>>>>>>>> their computers? E.g. in some of my environments users don't
>>>>>>>>>>>>>> have that kind of permissions on their computers. What will
>>>>>>>>>>>>>> happen if user formats their computer? How much work do you
>>>>>>>>>>>>>> expect on supporting these users (it depends on number of
>>>>>>>>>>>>>> users). You could talk to administrators of these external
>>>>>>>>>>>>>> users for some help. They could deploy CA chain using group
>>>>>>>>>>>>>> policy.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting the
>>>>>>>>>>>>>>>certificate on the server. If I give that certificate to the
>>>>>>>>>>>>>>>clients, by just e-mailing them, and they install the
>>>>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>> message news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>>>>> previous article) you have to think how users (or you)
>>>>>>>>>>>>>>>>>> will safely generate requests and then how you will
>>>>>>>>>>>>>>>>>> transfer certificates with private key to users (again in
>>>>>>>>>>>>>>>>>> safe way). In the end you will also have to think how to
>>>>>>>>>>>>>>>>>> make these users trust you CA server.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since users
>>>>>>>>>>>>>>>>>> already trust these CA servers.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain?
>>>>>>>>>>>>>>>>>>>> If yes then the best answer is by using Microsoft
>>>>>>>>>>>>>>>>>>>> Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates in
>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and Windows
>>>>>>>>>>>>>>>>>>>> Server 2003
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also means
>>>>>>>>>>>>>>>>>>>>>> that you will have to deploy client certificate to
>>>>>>>>>>>>>>>>>>>>>> any users that will need to access your web server.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added to
>>>>>>>>>>>>>>>>>>>>>>> the site.
>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates', what
>>>>>>>>>>>>>>>>>>>>>>> does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
> As mentioned in my previous posts, SelfSSL will not allow you to issue
> client authentication certificate (certificate with purpose "Proves your
> identity to a remote computer"). Is you need certificates with purpose of
> "Proves your identity to a remote
> computer" you will either have to:
> - set up CA server
> - buy the client authentication certificate (certificate with purpose
> "Proves your identity to a remote
> computer")
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>> Hi,
>>
>> The certificate is intended for the following purpose(s):
>> - Ensures the identity of a remote computer
>> - All issuance policies
>>
>> So it doesnt have the intending purpose "Proves your identity to a remote
>> computer". Is there an option in SelfSSL that I have to use so that it
>> does have the intending purpose, or what can I do so that it has it?
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>> Hi,
>>>
>>> Yes -- absolutely. Client will not be able to access the server if
>>> he/she doesn't have a certificate.
>>>
>>> You say that you have the certificate. Which one? Does it allow client
>>> logon (Does it have intending purpose "Proves your identity to a remote
>>> computer". Do you have the private key for this certificate? Where is
>>> stored this certificate on your computer (in which certificate store).
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>> Don't you mean that when the list is empty that the client is disabled
>>>> to logon to de web server?
>>>>
>>>> I get an empty list, but the certificate is installed on the client pc.
>>>>
>>>> Fré
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> When you configure your IIS server with "Require user certificate" the
>>>>> server will tell the browser which authentication methods the web
>>>>> server supports. Now the browser will display a list of certificates
>>>>> that are available for client authentication.
>>>>>
>>>>> List would look something like this:
>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>
>>>>> If client does not have any certificates that would enable him/her
>>>>> logon to the web server, browser will either display empty list or
>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>> required depending on the browser or browser configuration.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>I read your documentation and I still don't know how users can
>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>
>>>>>> Fré
>>>>>>
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>I don't really understand this. If they have the certificates -- why
>>>>>>>would they logon anonymously?
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>> against your IIS.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>> certificate?
>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>> - go to tab 'content'
>>>>>>>>>> - click on 'certificates'
>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>> - go to the certificate
>>>>>>>>>> - choose for 'export'
>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>
>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>
>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>> something else needed?)
>>>>>>>>>>
>>>>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>>>>> certification authorities'
>>>>>>>>>>
>>>>>>>>>> And then it would have to work?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type of
>>>>>>>>>>> certificates that you need is user certificate which can't be
>>>>>>>>>>> generated by SelfSSL, but can be issued by any CA server (it can
>>>>>>>>>>> be your own CA server or Thawte or VeriSign or any other CA
>>>>>>>>>>> server).
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>> working?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>>
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>> Certificates have their intended purpose and in this case they
>>>>>>>>>>>>> would be different. For the server the intended purpose is
>>>>>>>>>>>>> "Ensures the identity of a remote computer" and for the client
>>>>>>>>>>>>> authentication to work it must be "Proves your identity to a
>>>>>>>>>>>>> remote computer".
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are in
>>>>>>>>>>>>>> the client certificate, then they are logged on as a user
>>>>>>>>>>>>>> automatically?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>> How secure would be that -- if you send clients certificates
>>>>>>>>>>>>>>> (with private keys) in an e-mail. What if someone else gets
>>>>>>>>>>>>>>> that e-mail (it doesn't matter how) or hold of those private
>>>>>>>>>>>>>>> keys?
>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>>>>> question is will users be allowed to import CA chain onto
>>>>>>>>>>>>>>> their computers? E.g. in some of my environments users don't
>>>>>>>>>>>>>>> have that kind of permissions on their computers. What will
>>>>>>>>>>>>>>> happen if user formats their computer? How much work do you
>>>>>>>>>>>>>>> expect on supporting these users (it depends on number of
>>>>>>>>>>>>>>> users). You could talk to administrators of these external
>>>>>>>>>>>>>>> users for some help. They could deploy CA chain using group
>>>>>>>>>>>>>>> policy.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate to
>>>>>>>>>>>>>>>>the clients, by just e-mailing them, and they install the
>>>>>>>>>>>>>>>>certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>> message news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set up
>>>>>>>>>>>>>>>>>>> your own CA server (related articles are listed in my
>>>>>>>>>>>>>>>>>>> previous article) you have to think how users (or you)
>>>>>>>>>>>>>>>>>>> will safely generate requests and then how you will
>>>>>>>>>>>>>>>>>>> transfer certificates with private key to users (again
>>>>>>>>>>>>>>>>>>> in safe way). In the end you will also have to think how
>>>>>>>>>>>>>>>>>>> to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since users
>>>>>>>>>>>>>>>>>>> already trust these CA servers.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain?
>>>>>>>>>>>>>>>>>>>>> If yes then the best answer is by using Microsoft
>>>>>>>>>>>>>>>>>>>>> Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>>>> message news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
news:e077OobdGHA.3908@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> It worked!
>
> But when it worked it were 2 different webistes on 1 IIS. The second
> website should need to be in the first (Default Web Site), so I made a
> virtual directory under it. Now I set again the settings for SSL, made a
> new certificate, but my choose a certificate list is empty.
>
> Fré
>
> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
> news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
>> As mentioned in my previous posts, SelfSSL will not allow you to issue
>> client authentication certificate (certificate with purpose "Proves your
>> identity to a remote computer"). Is you need certificates with purpose of
>> "Proves your identity to a remote
>> computer" you will either have to:
>> - set up CA server
>> - buy the client authentication certificate (certificate with purpose
>> "Proves your identity to a remote
>> computer")
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
>> news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>>> Hi,
>>>
>>> The certificate is intended for the following purpose(s):
>>> - Ensures the identity of a remote computer
>>> - All issuance policies
>>>
>>> So it doesnt have the intending purpose "Proves your identity to a
>>> remote computer". Is there an option in SelfSSL that I have to use so
>>> that it does have the intending purpose, or what can I do so that it has
>>> it?
>>>
>>> Fré
>>>
>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>>> Hi,
>>>>
>>>> Yes -- absolutely. Client will not be able to access the server if
>>>> he/she doesn't have a certificate.
>>>>
>>>> You say that you have the certificate. Which one? Does it allow client
>>>> logon (Does it have intending purpose "Proves your identity to a remote
>>>> computer". Do you have the private key for this certificate? Where is
>>>> stored this certificate on your computer (in which certificate store).
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>>> Don't you mean that when the list is empty that the client is disabled
>>>>> to logon to de web server?
>>>>>
>>>>> I get an empty list, but the certificate is installed on the client
>>>>> pc.
>>>>>
>>>>> Fré
>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>> Hi,
>>>>>>
>>>>>> When you configure your IIS server with "Require user certificate"
>>>>>> the server will tell the browser which authentication methods the web
>>>>>> server supports. Now the browser will display a list of certificates
>>>>>> that are available for client authentication.
>>>>>>
>>>>>> List would look something like this:
>>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>>
>>>>>> If client does not have any certificates that would enable him/her
>>>>>> logon to the web server, browser will either display empty list or
>>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>>> required depending on the browser or browser configuration.
>>>>>>
>>>>>> --
>>>>>> Mike
>>>>>> Microsoft MVP - Windows Security
>>>>>>
>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>I read your documentation and I still don't know how users can
>>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>>
>>>>>>> Fré
>>>>>>>
>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>I don't really understand this. If they have the certificates -- why
>>>>>>>>would they logon anonymously?
>>>>>>>>
>>>>>>>> --
>>>>>>>> Mike
>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>
>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>>
>>>>>>>>> Fré
>>>>>>>>>
>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>>> against your IIS.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Mike
>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>
>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>>> message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>>> certificate?
>>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>>> - go to tab 'content'
>>>>>>>>>>> - click on 'certificates'
>>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>>> - go to the certificate
>>>>>>>>>>> - choose for 'export'
>>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>>
>>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>>
>>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>>> something else needed?)
>>>>>>>>>>>
>>>>>>>>>>> Then the user has to import the certificate in his 'Trusted root
>>>>>>>>>>> certification authorities'
>>>>>>>>>>>
>>>>>>>>>>> And then it would have to work?
>>>>>>>>>>>
>>>>>>>>>>> Fré
>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type of
>>>>>>>>>>>> certificates that you need is user certificate which can't be
>>>>>>>>>>>> generated by SelfSSL, but can be issued by any CA server (it
>>>>>>>>>>>> can be your own CA server or Thawte or VeriSign or any other CA
>>>>>>>>>>>> server).
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Mike
>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>
>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>>> working?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>>> Certificates have their intended purpose and in this case
>>>>>>>>>>>>>> they would be different. For the server the intended purpose
>>>>>>>>>>>>>> is "Ensures the identity of a remote computer" and for the
>>>>>>>>>>>>>> client authentication to work it must be "Proves your
>>>>>>>>>>>>>> identity to a remote computer".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>> But would it work if I just make a certificate with SelfSSL,
>>>>>>>>>>>>>>> then check require secure channel (ssl) and require 128-bit
>>>>>>>>>>>>>>> encryption. Choose for require client certificates.
>>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are
>>>>>>>>>>>>>>> in the client certificate, then they are logged on as a user
>>>>>>>>>>>>>>> automatically?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>> message news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>> How secure would be that -- if you send clients
>>>>>>>>>>>>>>>> certificates (with private keys) in an e-mail. What if
>>>>>>>>>>>>>>>> someone else gets that e-mail (it doesn't matter how) or
>>>>>>>>>>>>>>>> hold of those private keys?
>>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now the
>>>>>>>>>>>>>>>> question is will users be allowed to import CA chain onto
>>>>>>>>>>>>>>>> their computers? E.g. in some of my environments users
>>>>>>>>>>>>>>>> don't have that kind of permissions on their computers.
>>>>>>>>>>>>>>>> What will happen if user formats their computer? How much
>>>>>>>>>>>>>>>> work do you expect on supporting these users (it depends on
>>>>>>>>>>>>>>>> number of users). You could talk to administrators of these
>>>>>>>>>>>>>>>> external users for some help. They could deploy CA chain
>>>>>>>>>>>>>>>> using group policy.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate
>>>>>>>>>>>>>>>>>to the clients, by just e-mailing them, and they install
>>>>>>>>>>>>>>>>>the certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>> message
>>>>>>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set
>>>>>>>>>>>>>>>>>>>> up your own CA server (related articles are listed in
>>>>>>>>>>>>>>>>>>>> my previous article) you have to think how users (or
>>>>>>>>>>>>>>>>>>>> you) will safely generate requests and then how you
>>>>>>>>>>>>>>>>>>>> will transfer certificates with private key to users
>>>>>>>>>>>>>>>>>>>> (again in safe way). In the end you will also have to
>>>>>>>>>>>>>>>>>>>> think how to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since
>>>>>>>>>>>>>>>>>>>> users already trust these CA servers.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your domain?
>>>>>>>>>>>>>>>>>>>>>> If yes then the best answer is by using Microsoft
>>>>>>>>>>>>>>>>>>>>>> Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote
>>>>>>>>>>>>>>>>>>>>>>> in message
>>>>>>>>>>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:O%23nvyAedGHA.4720@TK2MSFTNGP03.phx.gbl...
> What worked? What were you able to do?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:e077OobdGHA.3908@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> It worked!
>>
>> But when it worked it were 2 different webistes on 1 IIS. The second
>> website should need to be in the first (Default Web Site), so I made a
>> virtual directory under it. Now I set again the settings for SSL, made a
>> new certificate, but my choose a certificate list is empty.
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
>>> As mentioned in my previous posts, SelfSSL will not allow you to issue
>>> client authentication certificate (certificate with purpose "Proves your
>>> identity to a remote computer"). Is you need certificates with purpose
>>> of "Proves your identity to a remote
>>> computer" you will either have to:
>>> - set up CA server
>>> - buy the client authentication certificate (certificate with purpose
>>> "Proves your identity to a remote
>>> computer")
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> The certificate is intended for the following purpose(s):
>>>> - Ensures the identity of a remote computer
>>>> - All issuance policies
>>>>
>>>> So it doesnt have the intending purpose "Proves your identity to a
>>>> remote computer". Is there an option in SelfSSL that I have to use so
>>>> that it does have the intending purpose, or what can I do so that it
>>>> has it?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> Yes -- absolutely. Client will not be able to access the server if
>>>>> he/she doesn't have a certificate.
>>>>>
>>>>> You say that you have the certificate. Which one? Does it allow client
>>>>> logon (Does it have intending purpose "Proves your identity to a
>>>>> remote computer". Do you have the private key for this certificate?
>>>>> Where is stored this certificate on your computer (in which
>>>>> certificate store).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>>>> Don't you mean that when the list is empty that the client is
>>>>>> disabled to logon to de web server?
>>>>>>
>>>>>> I get an empty list, but the certificate is installed on the client
>>>>>> pc.
>>>>>>
>>>>>> Fré
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> When you configure your IIS server with "Require user certificate"
>>>>>>> the server will tell the browser which authentication methods the
>>>>>>> web server supports. Now the browser will display a list of
>>>>>>> certificates that are available for client authentication.
>>>>>>>
>>>>>>> List would look something like this:
>>>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>>>
>>>>>>> If client does not have any certificates that would enable him/her
>>>>>>> logon to the web server, browser will either display empty list or
>>>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>>>> required depending on the browser or browser configuration.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>I read your documentation and I still don't know how users can
>>>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>I don't really understand this. If they have the certificates -- 
>>>>>>>>>why would they logon anonymously?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>>>> against your IIS.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>>>> certificate?
>>>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>>>> - go to tab 'content'
>>>>>>>>>>>> - click on 'certificates'
>>>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>>>> - go to the certificate
>>>>>>>>>>>> - choose for 'export'
>>>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>>>
>>>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>>>
>>>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>>>> something else needed?)
>>>>>>>>>>>>
>>>>>>>>>>>> Then the user has to import the certificate in his 'Trusted
>>>>>>>>>>>> root certification authorities'
>>>>>>>>>>>>
>>>>>>>>>>>> And then it would have to work?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type
>>>>>>>>>>>>> of certificates that you need is user certificate which can't
>>>>>>>>>>>>> be generated by SelfSSL, but can be issued by any CA server
>>>>>>>>>>>>> (it can be your own CA server or Thawte or VeriSign or any
>>>>>>>>>>>>> other CA server).
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>>>> working?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>>>> Certificates have their intended purpose and in this case
>>>>>>>>>>>>>>> they would be different. For the server the intended purpose
>>>>>>>>>>>>>>> is "Ensures the identity of a remote computer" and for the
>>>>>>>>>>>>>>> client authentication to work it must be "Proves your
>>>>>>>>>>>>>>> identity to a remote computer".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> But would it work if I just make a certificate with
>>>>>>>>>>>>>>>> SelfSSL, then check require secure channel (ssl) and
>>>>>>>>>>>>>>>> require 128-bit encryption. Choose for require client
>>>>>>>>>>>>>>>> certificates.
>>>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are
>>>>>>>>>>>>>>>> in the client certificate, then they are logged on as a
>>>>>>>>>>>>>>>> user automatically?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>> message news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> How secure would be that -- if you send clients
>>>>>>>>>>>>>>>>> certificates (with private keys) in an e-mail. What if
>>>>>>>>>>>>>>>>> someone else gets that e-mail (it doesn't matter how) or
>>>>>>>>>>>>>>>>> hold of those private keys?
>>>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now
>>>>>>>>>>>>>>>>> the question is will users be allowed to import CA chain
>>>>>>>>>>>>>>>>> onto their computers? E.g. in some of my environments
>>>>>>>>>>>>>>>>> users don't have that kind of permissions on their
>>>>>>>>>>>>>>>>> computers. What will happen if user formats their
>>>>>>>>>>>>>>>>> computer? How much work do you expect on supporting these
>>>>>>>>>>>>>>>>> users (it depends on number of users). You could talk to
>>>>>>>>>>>>>>>>> administrators of these external users for some help. They
>>>>>>>>>>>>>>>>> could deploy CA chain using group policy.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate
>>>>>>>>>>>>>>>>>>to the clients, by just e-mailing them, and they install
>>>>>>>>>>>>>>>>>>the certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>> message
>>>>>>>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set
>>>>>>>>>>>>>>>>>>>>> up your own CA server (related articles are listed in
>>>>>>>>>>>>>>>>>>>>> my previous article) you have to think how users (or
>>>>>>>>>>>>>>>>>>>>> you) will safely generate requests and then how you
>>>>>>>>>>>>>>>>>>>>> will transfer certificates with private key to users
>>>>>>>>>>>>>>>>>>>>> (again in safe way). In the end you will also have to
>>>>>>>>>>>>>>>>>>>>> think how to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since
>>>>>>>>>>>>>>>>>>>>> users already trust these CA servers.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your
>>>>>>>>>>>>>>>>>>>>>>> domain? If yes then the best answer is by using
>>>>>>>>>>>>>>>>>>>>>>> Microsoft Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote
>>>>>>>>>>>>>>>>>>>>>>>> in message
>>>>>>>>>>>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:O%23nvyAedGHA.4720@TK2MSFTNGP03.phx.gbl...
> What worked? What were you able to do?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:e077OobdGHA.3908@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> It worked!
>>
>> But when it worked it were 2 different webistes on 1 IIS. The second
>> website should need to be in the first (Default Web Site), so I made a
>> virtual directory under it. Now I set again the settings for SSL, made a
>> new certificate, but my choose a certificate list is empty.
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
>>> As mentioned in my previous posts, SelfSSL will not allow you to issue
>>> client authentication certificate (certificate with purpose "Proves your
>>> identity to a remote computer"). Is you need certificates with purpose
>>> of "Proves your identity to a remote
>>> computer" you will either have to:
>>> - set up CA server
>>> - buy the client authentication certificate (certificate with purpose
>>> "Proves your identity to a remote
>>> computer")
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> The certificate is intended for the following purpose(s):
>>>> - Ensures the identity of a remote computer
>>>> - All issuance policies
>>>>
>>>> So it doesnt have the intending purpose "Proves your identity to a
>>>> remote computer". Is there an option in SelfSSL that I have to use so
>>>> that it does have the intending purpose, or what can I do so that it
>>>> has it?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> Yes -- absolutely. Client will not be able to access the server if
>>>>> he/she doesn't have a certificate.
>>>>>
>>>>> You say that you have the certificate. Which one? Does it allow client
>>>>> logon (Does it have intending purpose "Proves your identity to a
>>>>> remote computer". Do you have the private key for this certificate?
>>>>> Where is stored this certificate on your computer (in which
>>>>> certificate store).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>>>> Don't you mean that when the list is empty that the client is
>>>>>> disabled to logon to de web server?
>>>>>>
>>>>>> I get an empty list, but the certificate is installed on the client
>>>>>> pc.
>>>>>>
>>>>>> Fré
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> When you configure your IIS server with "Require user certificate"
>>>>>>> the server will tell the browser which authentication methods the
>>>>>>> web server supports. Now the browser will display a list of
>>>>>>> certificates that are available for client authentication.
>>>>>>>
>>>>>>> List would look something like this:
>>>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>>>
>>>>>>> If client does not have any certificates that would enable him/her
>>>>>>> logon to the web server, browser will either display empty list or
>>>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>>>> required depending on the browser or browser configuration.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>I read your documentation and I still don't know how users can
>>>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>I don't really understand this. If they have the certificates -- 
>>>>>>>>>why would they logon anonymously?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>>>> against your IIS.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>>>> certificate?
>>>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>>>> - go to tab 'content'
>>>>>>>>>>>> - click on 'certificates'
>>>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>>>> - go to the certificate
>>>>>>>>>>>> - choose for 'export'
>>>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>>>
>>>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>>>
>>>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>>>> something else needed?)
>>>>>>>>>>>>
>>>>>>>>>>>> Then the user has to import the certificate in his 'Trusted
>>>>>>>>>>>> root certification authorities'
>>>>>>>>>>>>
>>>>>>>>>>>> And then it would have to work?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type
>>>>>>>>>>>>> of certificates that you need is user certificate which can't
>>>>>>>>>>>>> be generated by SelfSSL, but can be issued by any CA server
>>>>>>>>>>>>> (it can be your own CA server or Thawte or VeriSign or any
>>>>>>>>>>>>> other CA server).
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>>>> working?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>>>> Certificates have their intended purpose and in this case
>>>>>>>>>>>>>>> they would be different. For the server the intended purpose
>>>>>>>>>>>>>>> is "Ensures the identity of a remote computer" and for the
>>>>>>>>>>>>>>> client authentication to work it must be "Proves your
>>>>>>>>>>>>>>> identity to a remote computer".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> But would it work if I just make a certificate with
>>>>>>>>>>>>>>>> SelfSSL, then check require secure channel (ssl) and
>>>>>>>>>>>>>>>> require 128-bit encryption. Choose for require client
>>>>>>>>>>>>>>>> certificates.
>>>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are
>>>>>>>>>>>>>>>> in the client certificate, then they are logged on as a
>>>>>>>>>>>>>>>> user automatically?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>> message news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> How secure would be that -- if you send clients
>>>>>>>>>>>>>>>>> certificates (with private keys) in an e-mail. What if
>>>>>>>>>>>>>>>>> someone else gets that e-mail (it doesn't matter how) or
>>>>>>>>>>>>>>>>> hold of those private keys?
>>>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now
>>>>>>>>>>>>>>>>> the question is will users be allowed to import CA chain
>>>>>>>>>>>>>>>>> onto their computers? E.g. in some of my environments
>>>>>>>>>>>>>>>>> users don't have that kind of permissions on their
>>>>>>>>>>>>>>>>> computers. What will happen if user formats their
>>>>>>>>>>>>>>>>> computer? How much work do you expect on supporting these
>>>>>>>>>>>>>>>>> users (it depends on number of users). You could talk to
>>>>>>>>>>>>>>>>> administrators of these external users for some help. They
>>>>>>>>>>>>>>>>> could deploy CA chain using group policy.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate
>>>>>>>>>>>>>>>>>>to the clients, by just e-mailing them, and they install
>>>>>>>>>>>>>>>>>>the certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>> message
>>>>>>>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set
>>>>>>>>>>>>>>>>>>>>> up your own CA server (related articles are listed in
>>>>>>>>>>>>>>>>>>>>> my previous article) you have to think how users (or
>>>>>>>>>>>>>>>>>>>>> you) will safely generate requests and then how you
>>>>>>>>>>>>>>>>>>>>> will transfer certificates with private key to users
>>>>>>>>>>>>>>>>>>>>> (again in safe way). In the end you will also have to
>>>>>>>>>>>>>>>>>>>>> think how to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since
>>>>>>>>>>>>>>>>>>>>> users already trust these CA servers.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your
>>>>>>>>>>>>>>>>>>>>>>> domain? If yes then the best answer is by using
>>>>>>>>>>>>>>>>>>>>>>> Microsoft Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote
>>>>>>>>>>>>>>>>>>>>>>>> in message
>>>>>>>>>>>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:O%23nvyAedGHA.4720@TK2MSFTNGP03.phx.gbl...
> What worked? What were you able to do?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in message
> news:e077OobdGHA.3908@TK2MSFTNGP04.phx.gbl...
>> Hi,
>>
>> It worked!
>>
>> But when it worked it were 2 different webistes on 1 IIS. The second
>> website should need to be in the first (Default Web Site), so I made a
>> virtual directory under it. Now I set again the settings for SSL, made a
>> new certificate, but my choose a certificate list is empty.
>>
>> Fré
>>
>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>> news:uJog2HbdGHA.3352@TK2MSFTNGP03.phx.gbl...
>>> As mentioned in my previous posts, SelfSSL will not allow you to issue
>>> client authentication certificate (certificate with purpose "Proves your
>>> identity to a remote computer"). Is you need certificates with purpose
>>> of "Proves your identity to a remote
>>> computer" you will either have to:
>>> - set up CA server
>>> - buy the client authentication certificate (certificate with purpose
>>> "Proves your identity to a remote
>>> computer")
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>> message news:eGFGufadGHA.4932@TK2MSFTNGP03.phx.gbl...
>>>> Hi,
>>>>
>>>> The certificate is intended for the following purpose(s):
>>>> - Ensures the identity of a remote computer
>>>> - All issuance policies
>>>>
>>>> So it doesnt have the intending purpose "Proves your identity to a
>>>> remote computer". Is there an option in SelfSSL that I have to use so
>>>> that it does have the intending purpose, or what can I do so that it
>>>> has it?
>>>>
>>>> Fré
>>>>
>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>> news:%23NVH8PadGHA.2188@TK2MSFTNGP05.phx.gbl...
>>>>> Hi,
>>>>>
>>>>> Yes -- absolutely. Client will not be able to access the server if
>>>>> he/she doesn't have a certificate.
>>>>>
>>>>> You say that you have the certificate. Which one? Does it allow client
>>>>> logon (Does it have intending purpose "Proves your identity to a
>>>>> remote computer". Do you have the private key for this certificate?
>>>>> Where is stored this certificate on your computer (in which
>>>>> certificate store).
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>> message news:u2MZSSZdGHA.3364@TK2MSFTNGP05.phx.gbl...
>>>>>> Don't you mean that when the list is empty that the client is
>>>>>> disabled to logon to de web server?
>>>>>>
>>>>>> I get an empty list, but the certificate is installed on the client
>>>>>> pc.
>>>>>>
>>>>>> Fré
>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>> news:%233$Lv2RdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>> Hi,
>>>>>>>
>>>>>>> When you configure your IIS server with "Require user certificate"
>>>>>>> the server will tell the browser which authentication methods the
>>>>>>> web server supports. Now the browser will display a list of
>>>>>>> certificates that are available for client authentication.
>>>>>>>
>>>>>>> List would look something like this:
>>>>>>> http://freeweb.siol.net/mpihler/user_cert.jpg
>>>>>>>
>>>>>>> If client does not have any certificates that would enable him/her
>>>>>>> logon to the web server, browser will either display empty list or
>>>>>>> show the HTTP Error 403.7 - Forbidden: SSL client certificate is
>>>>>>> required depending on the browser or browser configuration.
>>>>>>>
>>>>>>> --
>>>>>>> Mike
>>>>>>> Microsoft MVP - Windows Security
>>>>>>>
>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>> message news:%2371ooRPdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>I read your documentation and I still don't know how users can
>>>>>>>>identify themselves to IIS when they have the certificate (I send it
>>>>>>>>to them) and then my partner said I had to ask you this.
>>>>>>>>
>>>>>>>> Fré
>>>>>>>>
>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>> news:Ost5mHPdGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>I don't really understand this. If they have the certificates -- 
>>>>>>>>>why would they logon anonymously?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Mike
>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>
>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote in
>>>>>>>>> message news:eelOX3NdGHA.4224@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>> Is it possible that the users only need the certificate and when
>>>>>>>>>> they have the certificate that then they are logged on anonymous?
>>>>>>>>>>
>>>>>>>>>> Fré
>>>>>>>>>>
>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>> news:%23iAwEJEdGHA.1656@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> No. This would only make users trust CA server which certificate
>>>>>>>>>>> you just exported. This would not allow users to authenticate
>>>>>>>>>>> against your IIS.
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Mike
>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>
>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>> in message news:OzzY3WBdGHA.380@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>> Is the following method, the right one toe generate the user
>>>>>>>>>>>> certificate?
>>>>>>>>>>>> - Go to internet explorer on the server
>>>>>>>>>>>> - choose for tools --> internet options
>>>>>>>>>>>> - go to tab 'content'
>>>>>>>>>>>> - click on 'certificates'
>>>>>>>>>>>> - go to tab 'trusted root certification authorities'
>>>>>>>>>>>> - go to the certificate
>>>>>>>>>>>> - choose for 'export'
>>>>>>>>>>>> - follow the wizard with default values
>>>>>>>>>>>>
>>>>>>>>>>>> Then the file is located in the selected folder.
>>>>>>>>>>>>
>>>>>>>>>>>> Then I would send this file to the user (just the file or is
>>>>>>>>>>>> something else needed?)
>>>>>>>>>>>>
>>>>>>>>>>>> Then the user has to import the certificate in his 'Trusted
>>>>>>>>>>>> root certification authorities'
>>>>>>>>>>>>
>>>>>>>>>>>> And then it would have to work?
>>>>>>>>>>>>
>>>>>>>>>>>> Fré
>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>> news:%23IzLcOBdGHA.3348@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>> Yes, it can work without VeriSign, but you need two different
>>>>>>>>>>>>> types of certificates. First one is for SSL protection of your
>>>>>>>>>>>>> server and this one can be generated by SelfSSL. Second type
>>>>>>>>>>>>> of certificates that you need is user certificate which can't
>>>>>>>>>>>>> be generated by SelfSSL, but can be issued by any CA server
>>>>>>>>>>>>> (it can be your own CA server or Thawte or VeriSign or any
>>>>>>>>>>>>> other CA server).
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Mike
>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>
>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com> wrote
>>>>>>>>>>>>> in message news:%230Fld$AdGHA.5048@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>I need to have it working by tomorrow, can it work without
>>>>>>>>>>>>>>VeriSign?
>>>>>>>>>>>>>> If it can't by tomorrow, what is the soonest I could get it
>>>>>>>>>>>>>> working?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
>>>>>>>>>>>>>> news:%230q8c9AdGHA.3388@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>> As far as I understand your scenario -- this would not work.
>>>>>>>>>>>>>>> Certificates have their intended purpose and in this case
>>>>>>>>>>>>>>> they would be different. For the server the intended purpose
>>>>>>>>>>>>>>> is "Ensures the identity of a remote computer" and for the
>>>>>>>>>>>>>>> client authentication to work it must be "Proves your
>>>>>>>>>>>>>>> identity to a remote computer".
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>> news:%23IqROEAdGHA.5116@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>> But would it work if I just make a certificate with
>>>>>>>>>>>>>>>> SelfSSL, then check require secure channel (ssl) and
>>>>>>>>>>>>>>>> require 128-bit encryption. Choose for require client
>>>>>>>>>>>>>>>> certificates.
>>>>>>>>>>>>>>>> Then in client certificate mapping say when x and/or y are
>>>>>>>>>>>>>>>> in the client certificate, then they are logged on as a
>>>>>>>>>>>>>>>> user automatically?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Then I send them the exported certificate and they install
>>>>>>>>>>>>>>>> it. When they would then go to my site would they be logged
>>>>>>>>>>>>>>>> on automatically or would they have to chose a certificate?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Would this work?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>> message news:OsYVW%233cGHA.3632@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>> How secure would be that -- if you send clients
>>>>>>>>>>>>>>>>> certificates (with private keys) in an e-mail. What if
>>>>>>>>>>>>>>>>> someone else gets that e-mail (it doesn't matter how) or
>>>>>>>>>>>>>>>>> hold of those private keys?
>>>>>>>>>>>>>>>>> Now in my opinion this would be less secure then telling
>>>>>>>>>>>>>>>>> users passwords over the phone.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Regarding trusting your CA. Yes, you could do that. Now
>>>>>>>>>>>>>>>>> the question is will users be allowed to import CA chain
>>>>>>>>>>>>>>>>> onto their computers? E.g. in some of my environments
>>>>>>>>>>>>>>>>> users don't have that kind of permissions on their
>>>>>>>>>>>>>>>>> computers. What will happen if user formats their
>>>>>>>>>>>>>>>>> computer? How much work do you expect on supporting these
>>>>>>>>>>>>>>>>> users (it depends on number of users). You could talk to
>>>>>>>>>>>>>>>>> administrators of these external users for some help. They
>>>>>>>>>>>>>>>>> could deploy CA chain using group policy.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>> news:OnJNXp3cGHA.1792@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>I read that a client certificate can be made by exporting
>>>>>>>>>>>>>>>>>>the certificate on the server. If I give that certificate
>>>>>>>>>>>>>>>>>>to the clients, by just e-mailing them, and they install
>>>>>>>>>>>>>>>>>>the certificate, will they trust my CA server then?
>>>>>>>>>>>>>>>>>> Or am I forgetting something?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>> news:%23NWVwZ3cGHA.2068@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>> Or how long would you think this would take to set up?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe" <frederikvanderhae***@gmail.com>
>>>>>>>>>>>>>>>>>>> wrote in message
>>>>>>>>>>>>>>>>>>> news:ehwUSU3cGHA.1272@TK2MSFTNGP03.phx.gbl...
>>>>>>>>>>>>>>>>>>>> So it is impossible :-)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>> message
>>>>>>>>>>>>>>>>>>>> news:%23%232tSJ3cGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>> Then you have a lot of work to do. If you want to set
>>>>>>>>>>>>>>>>>>>>> up your own CA server (related articles are listed in
>>>>>>>>>>>>>>>>>>>>> my previous article) you have to think how users (or
>>>>>>>>>>>>>>>>>>>>> you) will safely generate requests and then how you
>>>>>>>>>>>>>>>>>>>>> will transfer certificates with private key to users
>>>>>>>>>>>>>>>>>>>>> (again in safe way). In the end you will also have to
>>>>>>>>>>>>>>>>>>>>> think how to make these users trust you CA server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> This is something that you can avoid if you use
>>>>>>>>>>>>>>>>>>>>> commercial CA server like Verisign or Thawte since
>>>>>>>>>>>>>>>>>>>>> users already trust these CA servers.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>> news:%231$yXL2cGHA.1208@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>> The users will not be part of the domain.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in
>>>>>>>>>>>>>>>>>>>>>> message news:OwVsn5rcGHA.3888@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>> It depends. Would these users be part of your
>>>>>>>>>>>>>>>>>>>>>>> domain? If yes then the best answer is by using
>>>>>>>>>>>>>>>>>>>>>>> Microsoft Enterprise CA server.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Here are some articles on how to set up Microsoft CA
>>>>>>>>>>>>>>>>>>>>>>> and how to deploy certificates to users.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Best Practices for Implementing a Microsoft Windows
>>>>>>>>>>>>>>>>>>>>>>> Server2003 Public Key Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Implementing and Administering Certificate Templates
>>>>>>>>>>>>>>>>>>>>>>> in Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> PKI Enhancements in Windows XP Professional and
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Windows Server 2003 PKI Operations Guide
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Managing a Windows Server 2003 Public Key
>>>>>>>>>>>>>>>>>>>>>>> Infrastructure
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Advanced Certificate Enrollment and Management
>>>>>>>>>>>>>>>>>>>>>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>>> news:eDuCd3mcGHA.3472@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>> And how do I have to make a client certificate?
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>> "Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote
>>>>>>>>>>>>>>>>>>>>>>>> in message
>>>>>>>>>>>>>>>>>>>>>>>> news:e3GAIDHcGHA.1264@TK2MSFTNGP05.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>> If you enable that option the users will have to
>>>>>>>>>>>>>>>>>>>>>>>>> authenticate with user's certificate. This also
>>>>>>>>>>>>>>>>>>>>>>>>> means that you will have to deploy client
>>>>>>>>>>>>>>>>>>>>>>>>> certificate to any users that will need to access
>>>>>>>>>>>>>>>>>>>>>>>>> your web server.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>>>>>>>>> Mike
>>>>>>>>>>>>>>>>>>>>>>>>> Microsoft MVP - Windows Security
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>> "Frederik Vanderhaeghe"
>>>>>>>>>>>>>>>>>>>>>>>>> <frederikvanderhae***@gmail.com> wrote in message
>>>>>>>>>>>>>>>>>>>>>>>>> news:eKLs$WFcGHA.1320@TK2MSFTNGP04.phx.gbl...
>>>>>>>>>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> I made a certificate with SelfSSL and it is added
>>>>>>>>>>>>>>>>>>>>>>>>>> to the site.
>>>>>>>>>>>>>>>>>>>>>>>>>> I see the option 'require client certificates',
>>>>>>>>>>>>>>>>>>>>>>>>>> what does that mean? How can
>>>>>>>>>>>>>>>>>>>>>>>>>> it be initiated?
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>> Fré
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>