Menu
I have a IIS set up to only accept client connections with a SSL certificate. I have a WCF service running on IIS. I have a Certification Authority in the servers trusted CAs. Now, when a client connects to the service, does IIS validate that the client certificate was issued by one of my trusted CAs? Or do I have to do the validation in my WCF service?
Also if I want the service to only accept connections from one particular CA (not all of my trusted CAs, just one) , would I have to do the verification in the service code?
804
In Internet Information Services (IIS) Manager, in the Connections pane, expand the name of the server on which the certificate was installed. Then expand Sites and click the site you want to secure using the SSL certificate. In the Actions menu (right pane), click Bindings. In the Site Bindings window, click Add.
The web server sends a copy of the SSL certificate to the browser. The browser checks the authenticity of the certificate and sends a message to the webserver. In return, the webserver/website sends a digitally signed acceptance for initiating an SSL encrypted session.
Chrome has made it simple for any site visitor to get certificate information with just a few clicks: Click the padlock icon in the address bar for the website. Click on Certificate (Valid) in the pop-up. Check the Valid from dates to validate the SSL certificate is current.
To verify a certificate, a browser will obtain a sequence of certificates, each one having signed the next certificate in the sequence, connecting the signing CA's root to the server's certificate. This sequence of certificates is called a certification path.
If you configured IIS to demand mutual HTTPS (SSL with client certificates) the IIS / http.sys is responsible for validating the certificate and client certificate must be either in trusted people store or it must be issued by trusted CA. The certificate is validated during security handshake for establishing SSL connection. When IIS is used to host WCF service this validation is done outside of WCF (in case of self hosting you can use custom certificate validation).
If you want to restrict access to the service to only limited subset of clients (with certificates issued by just single CA) you should move this requirement from authentication (validating certificate) to authorization = custom AuthorizationPolicy in your WCF service where you will validate that certificate was issued by correct CA = the client is authorized to call your service.
Trusted issuers can be also configured on system level with netsh - check sslctlidentifier and sslctlstorename. This configuration will be global for the whole port (web site) so if you have multiple web applications or services with different requirements hosted on the same port this will not be an option for you.
121
Yes, IIS validates client certificate for mutual authentication, you don't have to check it in your web service code.
Check this article, it will be more clear.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
