Re: IIS 5 and client certificates

[Frank Knobbe <fknobbe () knobbeits com>]

On Fri, 2002-11-01 at 16:29, Chris Eidem wrote:
> [...]
> What I've tested:
>
> - Anyone with our cert can reach the site with certs ignored or
> accepted, no surprise.
>
> - Anyone with our cert can reach the site with client cert mapping not
> enabled.  Slightly surprising, as I would think that it would default to
> no one being allowed access.
>
> - Anyone with our cert can reach the site with client cert mapping
> enabled and no 1-to-1 rules.  Again surprising.
>
> - I added a second cert, and mapped it to a user that was not allowed
> access to the default.html page.  That user was not allowed access, but
> all other cert holders were allowed access.
>
> - I added a Many-to-1 rule denying access to anyone with the following
> certificate criterium:
>
>      Issuer CN matches '<root CA text here>'
>
> With this enabled, and the local Root CA installed, it matches what I
> thought that it would do with just the client cert installed.
>
>
>
> Since all the major CAs have their certificates installed into Windows
> 2000, IIS recognizes them and I fear that anyone with a valid cert may
> be able to access a site. [...]


Chris,

have you tried *removing* all other root certs from the root CA store of
the web server, leaving only your own root CA cert in the certificate
store?

> From what I understand, any certificate signed by a trusted root CA (so
by default, Verisign etc) are accepted, and the CN name used as a
username for authentication (or via the mapping, remapped to a different
ID). It seems to me that if you trust only your certificate, you would
need to to reduce the trust in the root CA store to just your root cert.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part