Acceptance of client certificates from any CA

Question

Acceptance of client certificates from any CA

I am setting up user support for logging in with client certificates. Unfortunately, IIS refuses to recognize any certificate that is not tied to an established CA ( see This article ).

Since the function is implemented only for the convenience of users, it would be great to allow any client certificate. Is there any way to do this?

My server is running Windows Server 2003 and IIS 6, but the behavior on my IIS 7 is not working. If IIS 7 can be configured to support any client certificate, I could change it though (if no solution was found for IIS 6).

+4

ssl iis iis-6

Troels thomsen Oct 4 '08 at 21:23

source share

4 answers

Lou franco · Answer 1 · 2008-10-04T21:35:35+0000

I think the normal way is to provide you with certificates, and then configure IIS to accept your certificate as the root.

Chris ballance · Answer 2 · 2008-10-29T19:57:22+0000

Implement this class:

public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy { public TrustAllCertificatePolicy() {} public bool CheckValidationResult(ServicePoint sp, X509Certificate cert,WebRequest req, int problem) { return true; } }

Define it using the following line of code. After that, all certificates expired, name mismatch, etc. will be accepted.

  System.Net.ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();

Purfideas · Answer 3 · 2008-10-04T21:43:43+0000

I think you can add a new root CA certificate through the certmgr command

 certmgr --add -c -m Trust <CA_cert_DER_fmt>

Note. Unlike UNIX, Windows manages certificates for all applications simultaneously, which may have security implications, so beware of this.

Eugene yokota · Answer 4 · 2008-10-04T21:50:07+0000

WCF allows you to write a custom X.509 certificate handler . In the code, you can do some checks, like comparing a fingerprint against a signed value in a database.

Acceptance of client certificates from any CA

More articles: