Question about SSL Certificate

Question

I am trying to make a SSL connection to a web site. Each time I enter the https:// address and press enter, the IE8 prompts me to select the Certificate (Client Certificate) to send to the server.

I got 2 certificates to choose from. And they are stored in the IE8 -> Internet Options -> Content -> Certificates -> Personal.

Since my server and client are the same machine, I want to use a single certificate for both server and client. And this certificate is a IIS generated self signed certificate. I do the following steps:

1- Generate a self-signed-cert in IIS;

2- Bind my site to https and choose the above self-signed-cert (this is for the server)

3- Import the self-signed-cert at the IE8 -> Internet Options -> Content -> Certificates -> Personal. (this is for Client)

Then I use the https link to access my page, it is still prompts me to choose a certificate. But I cannot see my newly imported self-signed-cert. Why?

And one more question, I see in the MMC that the self-signed-cert's Intended purpose is "Server Authentication", could I use it for "Client Authentication"?

Answer 1

If you want to use HTTPS (and you need only SSL Server authentication) from every client, you need to:

1) create a self signed certificate in IIS

2) put it into the server (X.509 CER or DER with private key)

3) takes the X509 .CER o .DER (without private key; you can export it choosing this option) and load it into the trusted authorities of the client PC. This is needed only for root CA validation.

I think now you cannot see your certificate in "personal" because self signed certificate are put into intermediate authorities (in VISTA). So load the certificate without wizard into the client and pay attention to the store you have to put it.

I hope this could help you