Smart card authentication using a client certificate

3
votes

I have a third party web application and now my manager wants to add smart card authentication to some of the pages (not the whole application) and return certificate information. What I'm thinking is to add buttons to those pages, and in the onclick event, I will do the client certificate authentication (where a certificate selection window will appear followed by the "PIN" window) and return certificate object for further processing.

I initially thought about a web service to do the client certificate authentication and return certificate information, which would be great because we might consider using that web service in other web applications (on different platforms). However, I couldn't find any code example that did this. Then I found the IIS solution.

I have now created a separate folder with a page that requires a client certificate. On the button click event, I redirect to that page. Then on that page, I retrieve the certificate information using the X509Certificate class. I don't think this helps me in what I'm trying to do, or at least I don't know how it helps.

So my question is (sorry for the long background description)

  1. How can I redirect back from that page with the certification result?
  2. If possible, any reference on how to build up a web service that does the client certificate authentication in the same way that IIS does?

Thanks

Update I looked around and still don't have a clue on how to achieve this. I'm not sure how to code at SSL/TLS handshake stage for the web service. I don't know how to return the certification back to the page I invoke this function either. So what I'm trying to do now is to redirect from a protected page that requires client authentication. It seems the web server caches the authentication result. Here is my third question, I hope someone can answer.

How can I clean out the authentication result at the end of the page session so that each time the page is visited, it request client authentication (where a certificate selection window will appear followed by the "PIN" window)?

2
c#authenticationiisclient-certificates

2 Answers

3
votes

if your app is hosted in IIS then simply add (in web.config) a section that says client certificate is required for those pages. THe browser will then ask the user for a cert.

1
votes

Windows has a caching feature which, by default, allows applications to access the private key for a limited time after the initial PIN prompt, or until the application is closed completely.

To disable, set this registry key. (Or use a GPO)

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography]
"PrivKeyCacheMaxItems"=dword:00000000
"PrivKeyCachePurgeIntervalSeconds"=dword:00000000