Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

 

patterns & practices Developer Center

How To: Set Up Client Certificates

J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation

Published: November 2002

Last Revised: January 2006

Applies to:

  • ASP.NET 1.1 and 2.0
  • Microsoft® Windows 2000 Server™ and Windows Server 2003
  • Internet information Services (IIS) 5.0, 5.1, and 6.0

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for a starting point and complete overview of Building Secure ASP.NET Applications.

Summary: IIS supports client certificate authentication. This How To shows you how to configure a Web application to require client certificates. It also shows you how to install a certificate on a client computer and use it when calling the Web application. (5 printed pages)

Contents

Summary of Steps Step 1. Create a Simple Web Application Step 2. Configure the Web Application to Require Client Certificates Step 3. Request and Install a Client Certificate Step 4. Verify Client Certificate Operation
Additional Resources

Web services often need to be able to authenticate their callers (other applications) in order to perform authorization. Client certificates provide an excellent authentication mechanism for Web services. When you use client certificates, your application also benefits from the creation of a secure channel (using Secure Sockets Layer [SSL]) between the client application and Web service. This allows you to securely send confidential information to and from the Web service. SSL ensures message integrity and confidentiality.

This How To includes step-by-step instructions to call a Web service that is configured to require client certificates.

Note   Ensure that Microsoft Certificate Services (required if you need to generate your own certificates) are installed on the certification authority (CA) machine.

Summary of Steps

This How To includes the following steps:

  • Step 1. Create a Simple Web Application
  • Step 2. Configure the Web Application to Require Client Certificates
  • Step 3. Request and Install a Client Certificate
  • Step 4. Verify Client Certificate Operation

Step 1. Create a Simple Web Application

To create a simple Web application

  1. Start Visual Studio .NET and create a new C# ASP.NET Web application called SecureApp.

  2. Drag a label control from the toolbox onto the WebForm1.aspx Web form, and then set its ID property to message.

  3. Drag a second label onto WebForm1.aspx and set its ID property to certData.

  4. Add the following code to the Page_Load event procedure.

    string username;
    username = User.Identity.Name;
    message.Text = "Welcome " + username;
    HttpClientCertificate cert = Request.ClientCertificate;
    if (cert.IsPresent)
    {
      certData.Text = "Client certificate retrieved";
    }
    else
    {
      certData.Text = "No client certificate";
    }
    
  5. On the Build menu, click BuildSolution.

  6. Start Internet Explorer and navigate to https://localhost/SecureApp/WebForm1.aspx.

    The page should be displayed with the messages "Welcome" (no user name is displayed because the user has not been authenticated) and "No client certificate."

  7. Close Internet Explorer.

Step 2. Configure the Web Application to Require Client Certificates

This procedure uses Internet Information Services (IIS) to configure your Web application's virtual directory to require certificates.

This procedure assumes that you have a valid certificate installed on your Web server. For more information about installing Web server certificates, see How To: Set Up SSL on a Web Server.

To configure your Web application's virtual directory to require certificates

  1. On the Web service host computer, start IIS.

  2. Navigate to the SecureApp virtual directory.

  3. Right-click SecureApp, and then click Properties.

  4. Click the Directory Security tab.

  5. Under Secure communications, click Edit.

    If Edit is unavailable, it is likely that a Web server certificate is not installed.

  6. Select the Require secure channel (SSL) check box.

  7. Select the Require client certificates option.

  8. Click OK, and then click OK again.

  9. In the Inheritance Overrides dialog box, click Select All, and then click OK to close the SecureApp properties dialog box.

    This applies the new security settings to all subdirectories in the virtual directory root.

  10. To confirm that the Web site is configured correctly, start Internet Explorer and browse (using HTTPS) to https://localhost/secureapp/webform1.aspx.

  11. A Client Authentication dialog box is displayed by Internet Explorer asking you to select a client certificate. Because you have not yet installed a client certificate, click OK, and confirm that an error page is displayed informing you that the page requires a client certificate.

  12. Close Internet Explorer.

Step 3. Request and Install a Client Certificate

This procedure installs a client-side certificate. You can use a certificate from any certificate authority, or you can generate your own certificate using Microsoft Certificate Services as described in the following sections.

This procedure assumes that Microsoft Certificate Services is configured for pending requests, which require an administrator to explicitly issue the certificate. It can also be configured to automatically issue certificates in response to certificate requests.

To check the certificate request status setting

  1. On the Microsoft Certificate Services computer, select CertificationAuthority from the AdministrativeTools programs group.

  2. Expand CertificationAuthority (Local), right-click the certification authority and click Properties.

  3. Click the PolicyModule tab, and then click Configure.

  4. Check the default action.

    The following procedure assumes that Set the certificate request status to pending. Administrator must explicitly issue the certificate is selected.

To request a client-side certificate

  1. Start Internet Explorer and navigate to http:// hostname/certsrv, where hostname is the name of the computer on which Microsoft Certificate Services is installed.
  2. Click Request a certificate, and then click Next.
  3. On the Choose Request Type page, click User Certificate, and then click Next.
  4. Click Submit to complete the request.
  5. Close Internet Explorer.

To issue the client-side certificate

  1. From the Administrative Tools program group, start the CertificationAuthority tool.
  2. Expand your certificate authority, and then select the PendingRequests folder.
  3. Select the certificate request you just submitted, point to All Tasks on the Action menu, and then click Issue.
  4. Confirm that the certificate is displayed in the IssuedCertificates folder, and then double-click it to view it.
  5. On the Details tab, click Copy to File to save the certificate as a Base-64 encoded X.509 certificate.
  6. Close the properties window for the certificate.
  7. Close the Certification Authority tool.

To install the client-side certificate

  1. To view the certificate, start Windows Explorer, navigate to the .cer file saved in the previous procedure, and then double-click it.
  2. Click InstallCertificate, and then click Next on the first page of the CertificateImportWizard.
  3. Select Automatically select the certificate store based on the type of certificate, and then click Next.
  4. Click Finish to complete the wizard. Dismiss the confirmation message box, and then click OK to close the certificate.

Step 4. Verify Client Certificate Operation

This procedure verifies that you can access the SecureApp application using a client certificate.

To verify client certificate operation

  1. Start Internet Explorer and navigate to https://localhost/secureapp/webform1.aspx.
  2. Confirm that the Web page displays successfully.

Additional Resources

For more information, see How to Set Up SSL on a Web Server in the Reference section of this guide.

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.