General discussion

Locked

SSL configuration.

By swlabhot ·
We have a Certificate Server with the Key Certificate installed on the on it and IIS is setup for secure comms 'requiring a secure channel when accessing this resource' and 'require client certificates' configured. When browsing to http://<ServerDomainName>/certsrv/ from a clients browser to install a root CA certificate on the client, I get a message 'HTTP Error 403.4 Forbidden: SSL required'.

I'm assuming that its telling me to use https:// as opposed to http:// but as I haven't installed the client certificate yet I'm unable to select the cert to use and connect to the server in the first place! Its a catch 21 situation.

What am I doing wrong?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

SSL configuration.

by MCSE Rabbi In reply to SSL configuration.

It is a bit of a catch 21 if you are both "requiring a secure channel" AND "require client certificates". If the client hasn't been issued a cert yet, this won't work.

You're going to have to turn off "require client certificates" until all yourclients have been issued a cert.

Also, since you have "require secure channel" checked, you have to use "https://"

Collapse -

SSL configuration.

by swlabhot In reply to SSL configuration.

Poster rated this answer

Collapse -

SSL configuration.

by swlabhot In reply to SSL configuration.

I know what you mean and thought of that myself but according to the Microsoft's documentation and the stpes outlined, only after you've setup IIS to use the secure channel, then you connect using http:// from the client to request for a certificate. Seems all a bit contradictory to me.

Setting up all clients first with certs then enabling the secure channel is not viable as we have many roaming users internationally and so there is no way of knowing and timing when and who have registered for a cert and who hasn't before enabling SSL on the server.

Collapse -

SSL configuration.

by NathanH In reply to SSL configuration.

First off, it is a catch-22.

Second, it is really not. See, you are mixing the certificates where there are really two types in use here: Server certificates and client certificates. Client certificates are given out to individuals users to present to the machine for validation before entering the site. One would most likely use them on Microsoft to map to NT accounts for ACL level permissions on files or directories. You could also use them for tighter control of who accesses the web server/application. So client certificates are used for authentication.
If you are looking just for encryption of web traffic then the server certificate is enough to give you that, but you have to disable 'require client certificate.'
If you are issuing your own SSL certificate and installing it on the server, the user has to pass the non-CA prompt on the screen the first time and then install it. Also you must always use https://<serverdomainname> if you check the require secure channel.

Collapse -

SSL configuration.

by swlabhot In reply to SSL configuration.

Poster rated this answer

Collapse -

SSL configuration.

by swlabhot In reply to SSL configuration.

This question was closed by the author

Back to Security Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums