Open in app

Sign in

Write

Sign in

Configuring client certificates for mutual authentication on IIS 8

Hafiz Mohammed
7 min readJan 13, 2016

After spending more than 3 hours to configure mutual authentication on one of my projects, I decided to write this article to help ease the configuration on IIS for those who want a mutual authentication functionality between there web server and client’s applications.

I write this blog using self signed certificate for a demonstration purposes same steps can be used for valid certificates.

Assuming you install IIS server on your machine.(Note when installing IIS include Client Certificate Mapping Authentication).Here are the steps.

1 . Make your website to require client certificate

By clicking on SSL Settings

On the SSL Settings make sure you tick the Require SSL checkbox and on the Client certificates section choose the require option to make any client connection require a certificate to the website.

2. Generating self signed root and client certificates.

For this blog we use our own Root CA and Client certificate.I use makecert.exe (can be found in Windows SDK) for creating certificates.

2.1 Generate Root certificate for signing your client certificates

makecert -n "CN=ClientRootCA" -r -sv ClientRootCA.pvk ClientRootCA.cer

This will create your Root Certificate and Private key

  • In the Create Private Key Password dialog box, enter a password, confirm the password, and then click OK.Optionally, you can click None without entering the password, but this is not recommended for security reasons.
  • In the Enter Private Key Password dialog box, enter the password again and then click OK.This is the password needed to access the private key file ClientRootCA.pvk in order to generate the file ClientRootCA.cer containing the public key.

2.2 Installing certificate on server machine

In this step we will install the certificate in Trusted Root Certification Authorities location.

To do this you need to run MMC on your machine . Then clicking on File -> Add/Remove Snap in

Then you can import the certifcate you create on 2.1(ClientRootCA) to Trusted Root Certification.

Go to the left panel and Certificates(Local Computer) -> Trustued Root Certification Authorities -> Certificates

And right click on Certificates and All Tasks -> Import

Then on the next dialog choose your ClientRootCA.cer which you created earlier.

Then Click Next and then Finish.Now you will see your certificate on Trusted certificate list

Now your Root CA is trusted by you server.Any certificate signed by the Root CA will be trusted from now on.

3.Create sample client certificate for authentication with your server

makecert -sk MyKeyName -iv RootCaClientTest.pvk -n "CN=tempClientcert" -ic RootCaClientTest.cer -sr currentuser -ss my -sky signature -pe
  • In the Enter Private Key Password dialog box, enter the password for the root CA private key file you specified in the previous step.

This command will create a certificate to User account certificate (Which can be exported later from MMC).

4. Export the client certificate for use

Again go to MMC same as before

  • Go to File -> Add/Remove Snap in
  • Like before choose certificates->add but on this case choose My User Accounts

This will create another tree on the left side “Certifcates — Current User”

Open that and Personal->Certificates

You will see “tempClientcert” on the certifcate list(That is your test client certificate which will be used to authenticate).

  • Right click on the certificate All Tasks->Export will open a dialog to export the certificate .Click next on the dialog

Now we will export two certificates one with private key and public key together (which will be used to authenticate as client)and one only the public key (will be used for mapping on IIS).

Export with private key

After clicking next on the export dialog

Click Next

Choose those options and next

Provide password and click Next

Then give it a name on the next dialog and save the file as “clientCertificate.pfx” (choose .pfx file type) and finish.

Export only public key

Again by opening on export dialog. In this case we select the second option

Choose Base-64 encoded x.509 (.CER)

Then on click next and give it a name (like client_public)on the next dialog and finish.

This will create your public key of your client certificates

Now open this file using notepad

Copy only the string inside

— — — — BEGIN CERTIFICATE — — —

— — — — END CERTIFICATE — — — —

And make it to one line and remove the space between the lines (use notpad++ will do the job easily)

MIIDCDCCAfSgAwIBAgIQZV5nv5kR1KVLpendVfY ……….

(*Note this string will be used on Mapping on IIS)

5. Configuring IIS Mapping

Then open IIS to configure your site to map website to client certificate

Click on your website and double click on Authentication

Disable Anonymous Authentication

Apply Changes and on Management section double click on Configuration Editor.

  • On Section put system.webServer/security/authentication/iisClientCertificateMappingAuthentication
  • Change enable to True
  • Change oneToOneMappingsEnabled to True
  • Click on oneToOneMappings

On Collection Editor dialog you will see the above.

  • First click on Add on the top right corner
  • Then on certificate copy the public certificate that we from above step (We said we will use this on IIS mapping above)
  • Change enabled to True
  • Give a valid windows username and password which you can login to the server machine.
  • Then close the dialog

Click on Apply. Now the mapping to your site is done.

6. Client Side

Now client authentication is enabled for your site when you browse your site it will require you to provide client certificate.

The client certificate it the one we import as “clientCertificate.pfx”.

From client machine you can import the certificate by double click on the pfx file and import it to your certificates.which later will be available to the browser as imported certificate to choose (in the above image it is imported and can be seen on the select certificate option).

With out certificate/Invalid one the server will throw error message to the client

With valid certificate you can access the web securely.

I hope this will help you folks.

Here is some good books on IIS 8 (the link are an amazon affliate links 👇)

  1. https://www.amazon.com/Professional-Microsoft-IIS-Kenneth-Schaefer/dp/1118388046/ref=as_sl_pc_tf_til?tag=hafama-20&linkCode=w00&linkId=4971a77aff691f881e6f36b6008c13ed&creativeASIN=1118388046
  2. https://www.amazon.com/Microsoft-IIS-10-0-Cookbook-Task-oriented/dp/1787126676/ref=as_sl_pc_tf_til?tag=hafama-20&linkCode=w00&linkId=9d00d06c896741083aff10db2a1ecdd4&creativeASIN=1787126676

I will write how to use client certificates from .Net application.

Ssl
Mutual Ssl
Iis

--

--

Hafiz Mohammed

Written by Hafiz Mohammed

42 Followers

Passionate Full Stack Developer | Tech Enthusiast | Loves Basketball

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams