Require Client Certificates in IIS 7.5

Systems administrators often mistakenly correlate client certificates with SSL server certificates.  Here is a great post from David Dietz that helps clear up some of the misconceptions. 

Now that you have a basic understanding on how client certificates work, let’s take a look at how to implement requiring client certificates on an IIS 7.5 site.

image

Your first thought is probably to look at the SSL settings for the site.  That is the first place to start.  Check the box to Require SSL and set the radio button to Require Client Certificates. 

2013-09-04 14:46:29 W3SVC1 10.10.10.10 GET / – 443 – 10.10.10.100 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.1;+WOW64;+Trident/6.0) – - mydomain.com 500 0 64 0 296 0

When you browse to the site you may get a ‘Page cannot be displayed’ error.  If you look at the site log file, you may see an entry similar to the above. 

The following fatal alert was generated: 20. The internal error state is 960.

Additionally you may see the above logged in System Event Viewer.

image

If you are experiencing that behavior, Negotiate Client Certificate is most likely disabled for the site.  To check this, type ‘netsh http show sslcert’ without the quotes in an elevated command prompt.  If you scroll through the list you should find the entry that matches your site.  Note Negotiate Client Certificate is disabled. 

Export the output to a text file by typing ‘netsh http show sslcert > sslcert.txt’ once again without the quotes.  You can then type notepad sslcert.txt to open that file.

netsh http delete sslcert ipport=10.10.10.10:443

You will first want to delete the SSL certificate from the bindings using the above command.

netsh http add sslcert ipport=10.10.10.10:443 certhash=[YOUR CERT HASH] appid={[YOUR APPID]} certstorename=MY verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable

Then recreate the SSL certificate binding enabling client certificate negotiation with the above command.  Use the values from the text file for the certificate hash and appid that you previously outputted the results to.

Your IIS 7.5 site is now configured to receive client certificates.

No Comments