Authenticate user via Client Signed SSL Certificate in ASP.NET application

Question

I want to add extra security to a site and generate self-signed client certificates for my users.

I set IIS to require client certificates, created a self-signed certificate for the server and followed a few articles explaining how to create the client sertificate via makecert and pvk2pfx (all of them using the following method):

makecert -r -n "CN=My Personal CA" -pe -sv MyPersonalCA.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -cy authority MyPersonalCA.cer
makecert -iv MyPersonalCA.pvk -ic MyPersonalCA.cer -n "CN=John Doe" -pe -sv JohnDoe.pvk -a sha1 -len 2048 -b 01/21/2010 -e 01/21/2016 -sky exchange JohnDoe.cer -eku 1.3.6.1.5.5.7.3.2
pvk2pfx -pvk JohnDoe.pvk -spc JohnDoe.cer -pfx JohnDoe.pfx -po PASSWORD

I installed MyPersonalCA in trusted certification authorities and JohnDoe.pfx in appropriate certification storage.

However when I open my site I am getting:

HTTP Error 403.7 - Forbidden

What am I missing? Why isn't the browser sending the client certificate?

Answer 1

There are following conditions under which the browser will let you pick a certificate:

1. The certificate has to be generated with "client authentication" option

    1.3.6.1.5.5.7.3.2 - id_kp_clientAuth 
   

2. The certificate that signs your certificate has to be installed in the trusted root certification authorities on the server (not on the client!)

3. The certificate itself has to be installed in browser's certificate store (a system store for ie and chrome, an internal store in firefox)

Note that this is still not enough for authentication, you also need a custom authentication module or configure mappings between certificates and users manually at the server.