IIS with mutual SSL not workin

0
votes

I'm new to mutual SSL. Therefore my understanding how client certifcates might be wrong.

When using Client certificates in IIS, do they need to be issued from the same certificate (or CA) as the IIS HTTPS binding has configured?

  • My dev IIS has a self signed certificate.
  • For the client certificate, I've created a CA and a Client certificate according to the post here.
  • The CA is in my "Trusted Root Certification Authorities" of the local Computer.
  • The Client certificate is in my personal certificate folder.
  • On IIS I've set Client certificates to accept.

The first strange Thing is that when I browse to my page, the IE always shows me 403.7. Even I've disabled the IE setting "Don't prompt for client certificate selection...", there is no window opening for the certificate selection.

Also when accessing the page with a HttpWebRequest with Client cert attached, the response is always 403. Unfortunately there I did not figure out how to get the sub status.

Why doesn't IIS accept my Client certificate when the RootCA of the Client certificate is in the trusted root store? Is there a way to get more details where the problem might be?

Thanks
Thomas

1
iisssl-certificateclient-certificates

1 Answers

1
votes

Finally could solve the issue:

The CA and Client certificates which I generated according to the tutorial here did NOT have the private key assigned in the certificate store. I had to remove the certificates from the cert store and Import the PFX file including the private key.

Second, the client certificate needs to be in the Current User/Personal store so IE does pick it up. I initallly generated it in the Current Computer/Personal store.

There might be a direct way how to create the two certificates including Private key with makecert. But the PFX import was the easiest way for me.