Now that we have Certificate Server installed and we have installed a server-side digital certificate within IIS 4.0, two procedures remain before we can start working with client-side certificates within our Visual InterDev 6.0 Web projects. First we need to request a client-side certificate from Certificate Server and install it into our browser, and second we need to configure the Web server to accept or require client certificates for the relevant virtual directories or Web pages.
To request a client-side certificate from Certificate Server, follow these steps:
Complete the Certificate Enrollment Form with your personal information, as shown in Figure 23-6 below.
Figure 23-6. Certificate Server's Certificate Enrollment Form page.
Within Internet Explorer 4.0, you can check that the client certificate has been installed correctly by choosing Internet Options from the View menu and then selecting the Content tab. Next click Personal in the Certificates group box. You'll now be presented with a list of the client authentication certificates that have been installed into your browser. From here you have the ability either to view the details of the certificate or to import or export certificates. Figure 23-8 shows the certificate Properties dialog box if you click the View Certificate button. This dialog box shows the fields and their respective values within your certificate.
Figure 23-7. Certificate Server's Certificate Download page.
Figure 23-8. The certificate Properties dialog box showing field names and their values for a client authentication certificate generated by Certificate Server.
To configure IIS 4.0 to accept or require a client certificate, follow these steps:
Check either the Accept Certificates radio button or the Require Client Certificates radio button as required, as shown in Figure 23-9.
Figure 23-9. The Secure Communications dialog box in the Internet Service Manager, showing the options for accepting or requiring client certificates.
You'll also notice in Figure 23-9 that client certificates can be mapped to Windows NT user accounts. This allows you to control access to resources using standard Windows NT security. You can either specify direct one-to-one mapping of a certificate to a user account or specify wildcard mapping. In wildcard mapping, you can map any certificates that match certain criteria (such as the organization unit) to a single Windows NT user account or group. For example, you might map all client certificates with an organization code beginning with NIP to a Windows NT 4.0 group named NIP.