Written by John DeVight on 2011-May-18
I recently had to implement PKI (client certificate) authentication for a project and needed to configure a server and client certificate so that I could do the development. I didn't want to have to deal with standing up a certificate authority to generate all the certificates. I found that IIS 7 has a really nice feature that allows you to create a self-signed (server) certificate. Here are plenty of articles on this, two that I found helpful were: Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates on Scott Gu's blog and How to Create a Self Signed Certificate in IIS 7. However, finding information about creating a self-signed client certificate wasn't as easy. I finally came across a blog that had the answer: IIS 7 and Client Certificates which referenced another article: Configuring One-to-One Client Certificate Mappings.
The articles on creating a Self-Signed Server Certificate are really good, so I'll focus on documenting my experience with creating a Self-Signed Client Certificate here.
Creating a Self-Signed Client Certificate
Installing the MakeCert Utility
The first step that is mentioned in the IIS 7 and Client Certificates blog is installing the MakeCert utility. The link on the blog takes you to the MSDN doucmentation for the MakeCert utility that provides a link to download the Windows SDK. Here are the links:
I downloaded the web installer for the Windows Development Kit and installed it with the following options:
- Windows Native Code Development -> Tools
- .NET Development Tools
I honestly don't know which one had the MakeCert utility, but atleast I didn't install the entire SDK.
Creating the Client Certificates
The IIS 7 and Client Certificates blog is pretty good about explaining how to create the client certificates. Here are the commands that I took from the blog and executed in a command line window. In my examples I set the password for everything to the word "password".
Create the Self Signed CA Certificate
makecert.exe -r -n "CN=My Personal CA" -pe -sv MyPersonalCA.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -cy authority MyPersonalCA.cer
Create the Client Certificate
makecert.exe -iv MyPersonalCA.pvk -ic MyPersonalCA.cer -n "CN=John Doe" -pe -sv JohnDoe.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -sky exchange JohnDoe.cer -eku 18.104.22.168.22.214.171.124.2
Note: the IIS 7 and Client Certificates blog was created on 24-Jan-2010 and has the client certificate expiring on 21-Jan-2011. When I created the client certificate, I changed the expiration date to 21-Jan-2016
Create the Client PKCS12 Certificate
pvk2pfx.exe -pvk JohnDoe.pvk -spc JohnDoe.cer -pfx JohnDoe.pfx -po password
Step 2 also mentions sending the client certificate and the self-signed CA client certificate to "John Doe" to be installed on his workstation. Since your workstation is the "client" workstation, then you need to install the client certificate.
To install the client certificate:
- Launch the Microsoft Management Console (mmc) and add the "Certificates" Snap-in for the current user.
- Add the JohnDoe.pfx file to the "Certificates - Current User" -> Personal store.
To install the self-signed client CA certificate:
- Launch the Microsoft Management Console (mmc) and add the "Certificates" Snap-in for the local computer.
- Add the MyPersonalCA.cer file to the "Certificates (Local Computer)" -> Personal store.
- Also add the MyPersonalCA.cer file to the "Certificates (Local Computer)" -> "Trusted Root Certificate Authorities" store.
There are a couple of bullet points in step 3 that are worth doing as soon as you finish Step 2 from the IIS 7 and Client Certificates blog, create the Base-64 encoded version of the client certificate and install the self-signed CA client certificate.
Create the Client Base-64 Certificate
Here is the process taken directly from the IIS 7 and Client Certificates blog:
One way to obtain the Base-64 encoded certificate for John Doe is to install John’s .PFX file, then open the Microsoft Management Console (run mmc.exe, CTRL-M, double click Certificates, Finish, OK, right click on John’s certificate under Personal/Certificates, export without a private key, and pick the Base-64 encoded X.509 (.CER) option).
Configure IIS to use the Client Certificate
In Step 3 of the IIS 7 and Client Certificates blog, you are directed to look at the Configuring One-to-One Client Certificate Mappings article. I had to make a few adjustments here.
- I am running IIS 7.5, so I already have the IIS Manager installed and did not have to install "IIS 7 Administration Pack Technical Preview 2".
- In "Step 1: Getting the Certificate Blob", this is the Client Base-64 Certificate that was created above. Just follow the instructions for extracting the "certificate blob". Here is a copy of the instructions:
- Right click on your .cer file.
- Select Open With… in the context menu
- Select Notepad from the list of Other Programs and click OK. [Note: Notepad may be hidden beneath a drop down in the Vista/Windows 2008 list view]
- Remove -BEGIN CERTIFICATE- and -END CERTIFICATE——
- Format the certificate blob to be a single line.
- Save this file as clientCertBlob.txt
- I followed Step 2 with one minor change. Here is a copy of the instructions:
- Start Inetmgr, the IIS 7 Manager UI
- Select the SSL web site that is being configured and open Configuration Editor
- Type "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" in the Section drop down box.
- Select the enabled field and change the value to true
- Select the oneToOneCertificateMappingsEnabled property grid entry and change the value to true
- Select the oneToOneMappings property grid entry and click Edit Items… in the Actions Task Pane
- Click Add in the Collection Editor task list
- Copy the single string certificate blob from above and paste it into the certificate field
- Set the userName and password that clients will be authenticated as. (Here is the change: I set the userName to: JohnDoe and password to: password)
- Set the enabled field to true
- Close Collection Editor
- Click Apply in the Actions Task Pane [Note: Click Script Generation prior to clicking Apply to get scripts for this process]
- I followed Step 3 with one minor change. Here is a copy of the instructions:
- From within Inetmgr, the IIS 7 Manager UI, select the SSL web site you want to use client certificates
- Select the SSL UI module
- Under Client certificates: select the Accept radio button. (Here is the change: I selected the Required radio button)
- Click Apply in the Actions Task Pane
- Step 4 was to verify that everything works. However, when I tried to verify that everything works, it didn't. There was one more step that I had to take. The web browser doesn't know anything about the client certificate, so I needed to import it into the browser.
- For Internet Explorer:
- Go to Tools -> "Internet Options" and select the Content tab.
- Click on Certificates and import the JohnDoe.pfx file.
- In Firefox
- Go to Tools -> Options and select the Advanced tab.
- Click on "View Certificates" import the JohnDoe.pfx file.
- For Internet Explorer:
I have found that getting server and client certificates to work on IIS is a frustrating process. My experience has been that when attempting to configure a workstation, each workstation seems to have a slightly different set of steps. What worked for me may not work for everyone. If you are able to get server and client certificates to work with a different set of steps, please post what you have done so that others can try it.
- Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates
- How to Create a Self Signed Certificate in IIS 7
- IIS 7 and Client Certificates
- Configuring One-to-One Client Certificate Mappings
- ASP.NET MVC 3 : Implementing PKI Authentication
Support ASP.NET Wiki
If you like this page, click on the "Share on" links in the wikidot toolbar at the top of the page to share it with your friends.