Discussion:
s it possible to force IIS to accept any certificate?
(too old to reply)
Stanko Milosev
2007-08-15 15:01:45 UTC
Permalink
Hello,

I am trying to configure IIS to accept any certificate, from anyone, is that
possible?

TIA!
Stanko.
Consultant
2007-08-15 19:30:43 UTC
Permalink
why would you want to do this?
Post by Stanko Milosev
Hello,
I am trying to configure IIS to accept any certificate, from anyone, is
that possible?
TIA!
Stanko.
Stanko Milosev
2007-08-16 07:02:36 UTC
Permalink
We want to make web site with PHP, that if a user have a certificate, then,
for example, to give this user welcome screen, but if he don't have a
certificate then to give him login screen.

I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get
client certificate serial number, but only if IIS server accepted user
certificate...
Post by Consultant
why would you want to do this?
Post by Stanko Milosev
Hello,
I am trying to configure IIS to accept any certificate, from anyone, is
that possible?
TIA!
Stanko.
David Wang
2007-08-16 08:14:40 UTC
Permalink
Your authentication protocol is not possible to implement in the
smooth fashion that you imagine, especially if you plan to use generic
browsers like IE/Firefox/Opera or generic servers like Apache/IIS/
Java.

With SSL, IIS supports ignoring, accepting, or requiring client
certificate. With the latter two options, IIS certainly supports
accepting any certificate from anyone. The question is whether you can
*compel* the user to send the certificate when it is optional.

If you don't force the user to send the certificate, then you'll never
get the logic of "certificate first, then fallback to login screen".
If you DO force the user to send the certificate, no web server will
allow a "fallback to login screen". Why? Because that is a custom
authentication scheme unsupported by standards. SSL Client Certificate
protocol never says it works like what you dream.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Post by Stanko Milosev
We want to make web site with PHP, that if a user have a certificate, then,
for example, to give this user welcome screen, but if he don't have a
certificate then to give him login screen.
I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get
client certificate serial number, but only if IIS server accepted user
certificate...
Post by Consultant
why would you want to do this?
Post by Stanko Milosev
Hello,
I am trying to configure IIS to accept any certificate, from anyone, is
that possible?
TIA!
Stanko.- Hide quoted text -
- Show quoted text -
Stanko Milosev
2007-08-16 09:38:17 UTC
Permalink
Thank you David, for your help.

I am just searching for a way to solve my task.

Is there way, any how, that we can accept client certificates? We are trying
to find a way to allow our users to log on to our site with their
certificate, but we don't want them to force to get new certificate, since
we already started pki system for signing and encrypting xml documents, and
our users already have some certificates, now we don't want them to force to
get another one.

Stanko.
Post by David Wang
Your authentication protocol is not possible to implement in the
smooth fashion that you imagine, especially if you plan to use generic
browsers like IE/Firefox/Opera or generic servers like Apache/IIS/
Java.
With SSL, IIS supports ignoring, accepting, or requiring client
certificate. With the latter two options, IIS certainly supports
accepting any certificate from anyone. The question is whether you can
*compel* the user to send the certificate when it is optional.
If you don't force the user to send the certificate, then you'll never
get the logic of "certificate first, then fallback to login screen".
If you DO force the user to send the certificate, no web server will
allow a "fallback to login screen". Why? Because that is a custom
authentication scheme unsupported by standards. SSL Client Certificate
protocol never says it works like what you dream.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Post by Stanko Milosev
We want to make web site with PHP, that if a user have a certificate, then,
for example, to give this user welcome screen, but if he don't have a
certificate then to give him login screen.
I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get
client certificate serial number, but only if IIS server accepted user
certificate...
Post by Consultant
why would you want to do this?
Post by Stanko Milosev
Hello,
I am trying to configure IIS to accept any certificate, from anyone, is
that possible?
TIA!
Stanko.- Hide quoted text -
- Show quoted text -
Stanko Milosev
2007-08-16 09:44:16 UTC
Permalink
I am sorry,
Post by David Wang
With SSL, IIS supports ignoring, accepting, or requiring client
certificate. With the latter two options, IIS certainly supports
accepting any certificate from anyone.
As much as I know, I must follow certificate chain? This mean, that IIS will
not accept certificate which is not followed by certificate from server?

Obviously, I have little knowledge about IIS SSL, can you please recommend
me a book about it?

Thank you again,
Stanko
David Wang
2007-08-18 08:00:52 UTC
Permalink
Post by Stanko Milosev
I am sorry,
Post by David Wang
With SSL, IIS supports ignoring, accepting, or requiring client
certificate. With the latter two options, IIS certainly supports
accepting any certificate from anyone.
As much as I know, I must follow certificate chain? This mean, that IIS will
not accept certificate which is not followed by certificate from server?
Obviously, I have little knowledge about IIS SSL, can you please recommend
me a book about it?
Thank you again,
Stanko
I think your problem is a PKI key distribution/management problem, not
IIS/SSL problem.

You want an authentication protocol that is not supported by all web
browsers and web servers without writing custom software. And you want
that protocol because you don't want users to get a second
certificate. That sounds like the wrong solution to the PKI
certificate distribution problem.

At my company, certificate distribution is automatic and it just
works. IIS requires certificates all the time, and the client
automatically chooses the correct one out of all the distributed
certificates to me.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Ken Schaefer
2007-08-19 04:28:54 UTC
Permalink
Actually, I think the problem here is that:

a) As part of the SSL/TLS handshake, the server indicates that it can accept
client certificate. It presents a list of trusted CAs to the client

b) the client automatically selects an appropriate certificate *if* there is
a single certificate that is issued by one of the trusted CAs. If there are
multiple client auth certificates from multiple trusted CAs, then the user
is prompted to choose which certificate to present to the server

c) Your problem is that IIS doesn't trust certs from every CA in the world.
If your partners have their own CAs, you need to install the root CA certs
into IIS.

Cheers
Ken
Post by Stanko Milosev
I am sorry,
Post by David Wang
With SSL, IIS supports ignoring, accepting, or requiring client
certificate. With the latter two options, IIS certainly supports
accepting any certificate from anyone.
As much as I know, I must follow certificate chain? This mean, that IIS
will not accept certificate which is not followed by certificate from
server?
Obviously, I have little knowledge about IIS SSL, can you please recommend
me a book about it?
Thank you again,
Stanko
Loading...