Accepting client certificates from any CA

Question

I am setting up support for users to sign in with client certificates. Unfortunately IIS refuses to acknowledge any certificate not chained to an installed CA (see this article).

As the feature is implemented only for users´ convenience, it would be great to allow any client certificate. Is there any way to accomplish this?

My server is running Windows Server 2003 and IIS 6, but the behaviour is no different on my IIS 7 running locally. If IIS 7 could be customized to support any client certificate, I would be able to change though (given no solution for IIS 6 is available).

Answer 1

Implement this class:

    public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy
    {
        public TrustAllCertificatePolicy() {}

        public bool CheckValidationResult(ServicePoint sp, X509Certificate cert,WebRequest req, int problem)
        {
            return true;
        }
    }

Set it using the following line of code. Afterward any certificates, whether expired, name mismatch, etc. will be accepted.

 System.Net.ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();

Answer 2

WCF allows you to write a custom X.509 certificate handler. In the code you can do some check like comparing the thumbprint against know value in the database.

Answer 3

I think you can add a new root CA cert via the certmgr command

certmgr --add -c -m Trust <CA_cert_DER_fmt>

Note: Unlike UNIXes, Windows manages certs for all applications simultaneously, which can have security implications, so beware of that

Answer 4

I think the normal way is for you to issue the certificates to them, and then for you to set up IIS to accept your cert as a root.