Written by John DeVight on 2011-May-18

Overview

I recently had to implement PKI (client certificate) authentication for a project and needed to configure a server and client certificate so that I could do the development. I didn't want to have to deal with standing up a certificate authority to generate all the certificates. I found that IIS 7 has a really nice feature that allows you to create a self-signed (server) certificate. Here are plenty of articles on this, two that I found helpful were: Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates on Scott Gu's blog and How to Create a Self Signed Certificate in IIS 7. However, finding information about creating a self-signed client certificate wasn't as easy. I finally came across a blog that had the answer: IIS 7 and Client Certificates which referenced another article: Configuring One-to-One Client Certificate Mappings.

The articles on creating a Self-Signed Server Certificate are really good, so I'll focus on documenting my experience with creating a Self-Signed Client Certificate here.

Creating a Self-Signed Client Certificate

Installing the MakeCert Utility

The first step that is mentioned in the IIS 7 and Client Certificates blog is installing the MakeCert utility. The link on the blog takes you to the MSDN doucmentation for the MakeCert utility that provides a link to download the Windows SDK. Here are the links:

• MakeCert Utility on MSDN
• Microsoft Windows Developerment Kit

I downloaded the web installer for the Windows Development Kit and installed it with the following options:

• Windows Native Code Development -> Tools
• .NET Development Tools

I honestly don't know which one had the MakeCert utility, but atleast I didn't install the entire SDK.

Creating the Client Certificates

The IIS 7 and Client Certificates blog is pretty good about explaining how to create the client certificates. Here are the commands that I took from the blog and executed in a command line window. In my examples I set the password for everything to the word "password".

Create the Self Signed CA Certificate

makecert.exe -r -n "CN=My Personal CA" -pe -sv MyPersonalCA.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -cy authority MyPersonalCA.cer

Create the Client Certificate

makecert.exe -iv MyPersonalCA.pvk -ic MyPersonalCA.cer -n "CN=John Doe" -pe -sv JohnDoe.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -sky exchange JohnDoe.cer -eku 1.3.6.1.5.5.7.3.2

Create the Client PKCS12 Certificate

pvk2pfx.exe -pvk JohnDoe.pvk -spc JohnDoe.cer -pfx JohnDoe.pfx -po password

Step 2 also mentions sending the client certificate and the self-signed CA client certificate to "John Doe" to be installed on his workstation. Since your workstation is the "client" workstation, then you need to install the client certificate.

To install the client certificate:

1. Launch the Microsoft Management Console (mmc) and add the "Certificates" Snap-in for the current user.
2. Add the JohnDoe.pfx file to the "Certificates - Current User" -> Personal store.

To install the self-signed client CA certificate:

1. Launch the Microsoft Management Console (mmc) and add the "Certificates" Snap-in for the local computer.
2. Add the MyPersonalCA.cer file to the "Certificates (Local Computer)" -> Personal store.
3. Also add the MyPersonalCA.cer file to the "Certificates (Local Computer)" -> "Trusted Root Certificate Authorities" store.

There are a couple of bullet points in step 3 that are worth doing as soon as you finish Step 2 from the IIS 7 and Client Certificates blog, create the Base-64 encoded version of the client certificate and install the self-signed CA client certificate.

Create the Client Base-64 Certificate
Here is the process taken directly from the IIS 7 and Client Certificates blog:

One way to obtain the Base-64 encoded certificate for John Doe is to install John’s .PFX file, then open the Microsoft Management Console (run mmc.exe, CTRL-M, double click Certificates, Finish, OK, right click on John’s certificate under Personal/Certificates, export without a private key, and pick the Base-64 encoded X.509 (.CER) option).

Configure IIS to use the Client Certificate

In Step 3 of the IIS 7 and Client Certificates blog, you are directed to look at the Configuring One-to-One Client Certificate Mappings article. I had to make a few adjustments here.

• I am running IIS 7.5, so I already have the IIS Manager installed and did not have to install "IIS 7 Administration Pack Technical Preview 2".
• In "Step 1: Getting the Certificate Blob", this is the Client Base-64 Certificate that was created above. Just follow the instructions for extracting the "certificate blob". Here is a copy of the instructions:
  1. Right click on your .cer file.
  2. Select Open With… in the context menu
  3. Select Notepad from the list of Other Programs and click OK. [Note: Notepad may be hidden beneath a drop down in the Vista/Windows 2008 list view]
  4. Remove -BEGIN CERTIFICATE- and -END CERTIFICATE——
  5. Format the certificate blob to be a single line.
  6. Save this file as clientCertBlob.txt
• I followed Step 2 with one minor change. Here is a copy of the instructions:
  1. Start Inetmgr, the IIS 7 Manager UI
  2. Select the SSL web site that is being configured and open Configuration Editor
  3. Type "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" in the Section drop down box.
  4. Select the enabled field and change the value to true
  5. Select the oneToOneCertificateMappingsEnabled property grid entry and change the value to true
  6. Select the oneToOneMappings property grid entry and click Edit Items… in the Actions Task Pane
  7. Click Add in the Collection Editor task list
  8. Copy the single string certificate blob from above and paste it into the certificate field
  9. Set the userName and password that clients will be authenticated as. (Here is the change: I set the userName to: JohnDoe and password to: password)
  10. Set the enabled field to true
  11. Close Collection Editor
  12. Click Apply in the Actions Task Pane [Note: Click Script Generation prior to clicking Apply to get scripts for this process]
• I followed Step 3 with one minor change. Here is a copy of the instructions:
  1. From within Inetmgr, the IIS 7 Manager UI, select the SSL web site you want to use client certificates
  2. Select the SSL UI module
  3. Under Client certificates: select the Accept radio button. (Here is the change: I selected the Required radio button)
  4. Click Apply in the Actions Task Pane
• Step 4 was to verify that everything works. However, when I tried to verify that everything works, it didn't. There was one more step that I had to take. The web browser doesn't know anything about the client certificate, so I needed to import it into the browser.
  • For Internet Explorer:
    1. Go to Tools -> "Internet Options" and select the Content tab.
    2. Click on Certificates and import the JohnDoe.pfx file.
  • In Firefox
    1. Go to Tools -> Options and select the Advanced tab.
    2. Click on "View Certificates" import the JohnDoe.pfx file.

Conclusion

I have found that getting server and client certificates to work on IIS is a frustrating process. My experience has been that when attempting to configure a workstation, each workstation seems to have a slightly different set of steps. What worked for me may not work for everyone. If you are able to get server and client certificates to work with a different set of steps, please post what you have done so that others can try it.

References

• Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates
• How to Create a Self Signed Certificate in IIS 7
• IIS 7 and Client Certificates
• Configuring One-to-One Client Certificate Mappings
• ASP.NET MVC 3 : Implementing PKI Authentication

Support ASP.NET Wiki

If you like this page, click on the "Share on" links in the wikidot toolbar at the top of the page to share it with your friends.

Discussion Closed

Show Comments

Hide All Comments Unfold All Fold All

Fold

Symo (guest) 29 Jun 2012 13:30

I'm unable to read the .cer file as described as it seems to be encoded, can't find any information on this either…

Reply Options

Unfold by Symo (guest), 29 Jun 2012 13:30

Fold

John DeVight 29 Jun 2012 19:51

Hy Symo,

Can you share with me the commands that you executed to create the "Self Signed CA Certificate" and "Client Certificate"?

Regards,

---

John DeVight
Telerik MVP

Reply Options

Unfold by John DeVight, 29 Jun 2012 19:51

Fold

Michael (guest) 11 Jul 2012 18:48

Hey, this is a very good article, but it doesn't works for me. :/

I get an 401.1 - Unauthorized HTTP Failure. Do you know how I can map a client certificate to the application pool identity? I try it with IIS AppPool\<AppPoolName>

special thx, Michael

Reply Options

Unfold by Michael (guest), 11 Jul 2012 18:48

Fold

Michael (guest) 12 Jul 2012 06:46

If I map the client certificate to another user, it works perfectly.
User IIS AppPool\<AppPoolName> has enough permissions (rx) in the webapplication folder, so this is probably not the problem

Reply Options

Unfold by Michael (guest), 12 Jul 2012 06:46

Fold

Bestin (guest) 07 Sep 2012 17:08

I couldn't make it work. now i get 401 - Unauthorized access is denied duo to invalid credientials.

Thanks
Bestin

Reply Options

Unfold by Bestin (guest), 07 Sep 2012 17:08

Fold

works!

Balazs Fabi 30 Sep 2013 12:34

It works, just the only problem is it always prompts for the client certificate.
Why?

Reply Options

Unfold works! by Balazs Fabi, 30 Sep 2013 12:34

Add a New Comment

Permanent Link Edit Delete