Client-Side Certificates

Now that we have Certificate Server installed and we have installed a server-side digital certificate within IIS 4.0, two procedures remain before we can start working with client-side certificates within our Visual InterDev 6.0 Web projects. First we need to request a client-side certificate from Certificate Server and install it into our browser, and second we need to configure the Web server to accept or require client certificates for the relevant virtual directories or Web pages.

To request a client-side certificate from Certificate Server, follow these steps:

  1. Make sure that Certificate Server is installed and has been configured as a root CA.
  2. Go into the main administration page of Certificate Server at http://localhost/certsrv/, and click the Certificate Enrollment Tools hyperlink.
  3. Select the Request A Client Authentication Certificate option.
  4. Complete the Certificate Enrollment Form with your personal information, as shown in Figure 23-6 below.

    click to view at full size.

    Figure 23-6. Certificate Server's Certificate Enrollment Form page.

  5. Click Submit Request to submit the information to Certificate Server.
  6. If all is successful, Certificate Server will present you with a Certificate Download page, as shown in Figure 23-7.
  7. Click Download to download and install the new certificate. Certificate Server will remind you that you need to have the CA's root certificate installed as well.

Within Internet Explorer 4.0, you can check that the client certificate has been installed correctly by choosing Internet Options from the View menu and then selecting the Content tab. Next click Personal in the Certificates group box. You'll now be presented with a list of the client authentication certificates that have been installed into your browser. From here you have the ability either to view the details of the certificate or to import or export certificates. Figure 23-8 shows the certificate Properties dialog box if you click the View Certificate button. This dialog box shows the fields and their respective values within your certificate.

click to view at full size.

Figure 23-7. Certificate Server's Certificate Download page.

click to view at full size.

Figure 23-8. The certificate Properties dialog box showing field names and their values for a client authentication certificate generated by Certificate Server.

To configure IIS 4.0 to accept or require a client certificate, follow these steps:

  1. Start Internet Service Manager by choosing Start|Programs|Windows NT 4.0 Option Pack|Microsoft Internet Information Server|Internet Service Manager.
  2. Select the virtual directory or Web page that you want to secure.
  3. Right-click the item, and choose Properties from the context menu.
  4. In the Directory Security or File Security tab, click the Edit button in the Secure Communications group box.
  5. Check the Require Secure Channel When Accessing This Resource check box.
  6. Check either the Accept Certificates radio button or the Require Client Certificates radio button as required, as shown in Figure 23-9.

    click to view at full size.

    Figure 23-9. The Secure Communications dialog box in the Internet Service Manager, showing the options for accepting or requiring client certificates.

You'll also notice in Figure 23-9 that client certificates can be mapped to Windows NT user accounts. This allows you to control access to resources using standard Windows NT security. You can either specify direct one-to-one mapping of a certificate to a user account or specify wildcard mapping. In wildcard mapping, you can map any certificates that match certain criteria (such as the organization unit) to a single Windows NT user account or group. For example, you might map all client certificates with an organization code beginning with NIP to a Windows NT 4.0 group named NIP.



Programming Microsoft Visual InterDev 6. 0
Programming Microsoft Visual InterDev 6.0
ISBN: 1572318147
EAN: 2147483647
Year: 2005
Pages: 143

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net