IIS Client certificate settings:
There are two places for client certificate settings in iis manager. It is very important to understanding the difference of these two settings.
The first place is in SSL settings under each web application's setting. There is a client certificate radio button. If it is selected as required, it means, when client connects to server using ssl, server will challenge the client's certificate, and the client certification must be signed by a root CA trusted by server (existing in server's Trusted root CA store). For example, a web application can allow anonymous authentication, but require client to use ssl with "Require" client certificate. If so, as long as client certificate is signed by a trusted CA, the client can finish the request without any one-to-one or many-to-one setting described in the second place.
The second place is web site scope setting of Configuration Editor under "Default web site". The setting is for authenticating a client using client certificate. Note under web application's authentication setting, you can only set Anonymous, Basic, Digest, Form... authentication, there is not a client certificate setting for you to enable. So in order to enable client certificate authentication for your web app, you should disable all authentication items for your app under its authentication settings. And then using configuration editor under the default web site to enable it by configuring either one-to-one mapping or one-to-many mapping. Otherwise, as you already disabled all authentication method, even if the client certificate is trusted by server, the client cannot be authenticated by server and causes the request to fail. Note if you has enabled other kind authentication under authentication settings, the client certificate mapping is really not necessary.
Generate client certificate
(Steps are from: http://msdn.microsoft.com/en-us/library/ff650751.aspx)
1.Generated root certificate for creating client cert.
Open a Visual Studio command prompt and browse to the location where you want to save the certificate files. Run the following command to create the root CA:
makecert -n "CN=RootCaClientTest" -r -sv RootCaClientTest.pvk RootCaClientTest.cer
2. Create a Certificate Revocation List File from the Root Certificate with following command:
makecert -crl -n "CN=RootCaClientTest" -r -sv RootCaClientTest.pvk RootCaClientTest.crl
3. Install Your Client Root Certificate Authority on the Client and Server Machines with following steps:
In the command console, type MMC and then click OK.
In the Microsoft Management Console, on the File menu, click Add/Remove Snap-in.
In the Add Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Certificates and then click Add.In the Certificates snap-in dialog box, select the Computer account radio button (because the certificate needs to be made available to all users), and then click Next.
In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the left pane, expand the Certificates (Local Computer) node, and then expand the Trusted Root Certification Authorities folder.
Under Trusted Root Certification Authorities, right-click the Certificates subfolder, click All Tasks, and then click Import.
On the Certificate Import Wizard welcome screen, click Next.
On the File to Import screen, click Browse.
Browse to the location of the signed root CA RootCaClientTest.cer file copied in Step 1, select the file, and then click Open.
On the File to Import screen, click Next
On the Certificate Store screen, accept the default choice and then click Next.
On the Completing the Certificate Import Wizard screen, click Finish.
4. Install the Certificate Revocation List File (CLR) on the Server and Client Machines, which is checked during the certificate validation process.
In the command line, type MMC, add Certificates snap-in, and then click Add.
In the Certificates snap-in dialog box, select the Computer account radio button (because the certificate needs to be made available to all users), and then click Next.
In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
In the left pane, expand the Certificates (Local Computer) node, and then expand the Trusted Root Certification Authorities folder.
Under Trusted Root Certification Authorities, right-click the Certificates subfolder, select All Tasks, and then click Import.
On the Certificate Import Wizard welcome screen, click Next.
On the File to Import screen, click Browse.
On the Files of Type screen, select Certificate Revocation List.
Browse to the location of the signed root CA RootCaClientTest.crl file copied in Step 1, select the file, and then click Open.
On the File to Import screen, click Next.
On the Certificate Store screen, accept the default choice and then click Next.
On the Completing the Certificate Import Wizard screen, click Finish.
5. Create and Install Your Temporary Client Certificate
Open a Visual Studio command prompt and browse to the location where the root CA certificate and private key file you created are stored.
Run the following command for creating a certificate signed by the root CA certificate:
makecert -sk MyKeyName -iv RootCaClientTest.pvk -n "CN=tempClientcert" -ic RootCaClientTest.cer -sr currentuser -ss my -sky signature -pe
In this command:
-sk specifies the key container name for the certificate. This needs to be unique for each certificate you create.
-iv specifies the private key file from which the temporary certificate will be created. You need to specify the root certificate private key file name that was created in the previous step and make sure that it is available in the current directory. This will be used for signing the certificate and for key generation.
-n specifies the key subject name for the temporary certificate. The convention is to prefix the subject name with "CN = " for "Common Name".
-ic specifies the file containing the root CA certificate file generated in the previous step.
-sr specifies the store location where the certificate will be installed. The default location is currentuser. For certificate authentication, this is the default location that Microsoft Internet Explorer uses for when browsing Web sites that require a client certificate.
-ss specifies the store name for the certificate. My is the personal store location of the certificate.
-sky specifies the key type, which could be either signature or exchange. Using signature makes the certificate capable of signing and enables certificate authentication.
-pe specifies that the private key is generated in the certificate and installed with it in the certificate store. When you double-click the certificate on the General tab, you should see the message “You have a private key that corresponds to this certificate” displayed at the bottom. This is a requirement for certificate authentication. If the certificate does not have the corresponding private key, it cannot be used for certificate authentication.
6. The steps to generate iis server certificate for ssl connection is not included here, please refer
http://jonathanblog2000.blogspot.ca/2013/12/how-to-deploy-aspnet-project-to-iis-by.html.
Configure IIS for client certificate authentication (one-to-one mapping)
(http://www.iis.net/learn/manage/configuring-security/configuring-one-to-one-client-certificate-mappings)
1. Getting the Certificate Blob
Export the client cert file TempClientCert.cer from MMC certificate snap-in with Base64 encoding. Right click on your client .cer file, and open it in notepad.
Remove -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----
Format the certificate blob to be a single line.
Save this file as clientCertBlob.txt
2. Configure IIS for client certificate One to One Mapping
Start IIS Manager,
Select the web site (Default Web Site, this can not be done on web application) that is being configured and open Configuration Editor icon
Type "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" in the Section drop down box.
Select the enabled field and change the value to true
Select the oneToOneCertificateMappingsEnabled property grid entry and change the value to true
Select the oneToOneMappings property grid entry and click Edit Items... in the Actions Task Pane
Click Add in the Collection Editor task list
Copy the single string certificate blob from above and paste it into the certificate field
Set the userName and password that clients will be authenticated as.
Set the enabled field to true
Close Collection Editor
Click Apply in the Actions Task Pane
3: Enabling Client Certificate Authentication For A Web Site Using SSL
Once a mapping has been created and the feature has been enabled, a site must be configured to use client certificates.
From IIS Manager UI, select the SSL web application you want to use client certificates
Select the SSL settings module
Under Client certificates: select the Require or Accept radio button
Click Apply in the Actions Task Pane
Disable all authentication method for the web application.
4: Verifying It All Works (using firefox)
Export client certificate with private key to a file.
Import client certificate (with private key) into firefox browser by opening option->advanced->Certificate tab. Select view certificate, and import the certificate into "Your Certificate" tab. Once it is done, it will show the certificate under RootCaClientTest node.
Use https connection to visit the iis web application. You will be prompted to select a client certificate.
Configure IIS for client certificate authentication (many-to-one mapping)
(https://blogs.iis.net/webtopics/archive/2010/04/27/configuring-many-to-one-client-certificate-mappings-for-iis-7-7-5.aspx)
If you are within an enterprise environment, and each developer already has his own corporate certificate, it is easier to setup many-to-one client certificate for iis mutual authentication.
Similar to one-to-one mapping, select the configuration editor under the default web site, and set enabled to true
Set manyToOneCertificateMappingsEnabled to True
Select manyToOneMappings and click on the extreme end at the Ellipsis button to launch the new window for configuring mappings.
Under this new window go ahead and Add a new item. You can modify the properties from within the window
Click on the Ellipsis button for rules and this will give you an option to add multiple patterns for matching based on certificate properties. For example, you can set certificateField to "Issuer" and certificateSubField to "CN", and matchCriteria to "SSO_CA", it will map the client certificate issued by SSO_CA to the specified user account.
Set the userName and password that clients will be authenticated as.
Apply the change.
Disable all authentication methods under web application's authentication settings.
Request the server from browser and you should be prompted for client certificate.