How do I create client certificates for local testing of two-way authentication over SSL?

Question

I\'m trying to set-up two-way authentication on a web app running on IIS7. The clients are going to mostly be mobile devices and in the first instance I\'m trying to get a demo

Answer 1

Maybe this didn't exist when you asked this question but microsoft now has a GUIDE for doing exactly this. Easy to follow and worked perfectly for me!

Answer 2

Enable client certificates on local IIS Express:

Change \YourSlnFolder\.vs\config\applicationhost.config -> <section name="access" overrideModeDefault="Deny" /> to <section name="access" overrideModeDefault="Allow" />

<sectionGroup name="system.webServer">
...
  <sectionGroup name="security">
  ...
    <section name="access" overrideModeDefault="Allow" />

Then edit your Web.config like this:

<configuration>
    <system.webServer>
        <security>
            <access sslFlags="SslRequireCert" />
        </security>
    </system.webServer>
</configuration>

Enable client certificates on IIS:

Go to web site in IIS Manager and click on SSL Settings. Then set the application as Require SSL and Require client certificates.

Creating new certificates:

Start VS developer command prompt

Root certificate:

makecert.exe -r -n "CN=TestRootCertificate" -pe -sv TestRootCertificate.pvk -a sha1 -len 2048 -b 01/01/2017 -e 01/01/2030 -cy authority TestRootCertificate.cer

Type your password.

Create a Certificate Revocation List (CRL)

makecert -crl -n "CN=TestRootCertificate" -r -sv TestRootCertificate.pvk TestRootCertificate.crl

Bundle to .pfx (pvk2pfx.exe requires "Desktop development with C++" installed for VS2017)

pvk2pfx.exe -pvk TestRootCertificate.pvk -pi {password} -spc TestRootCertificate.cer -pfx TestRootCertificate.pfx

Client certificate from root certificate:

makecert.exe -ic TestRootCertificate.cer -iv TestRootCertificate.pvk -pe -sv localtestclientcert.pvk -a sha1 -n "CN=localtestclientcert" -len 2048 -b 01/01/2015 -e 01/01/2030 -sky exchange localtestclientcert.cer -eku 1.3.6.1.5.5.7.3.2

Type your password.

pvk2pfx.exe -pvk localtestclientcert.pvk -pi {password} -spc localtestclientcert.cer -pfx localtestclientcert.pfx

Import the certificates.

Start mmc.exe.

File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer

Certificates (Local Computer) -> Personal -> Certificates -> Right click -> All tasks -> Import -> localtestclientcert.pfx

Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates -> Right click -> All tasks -> Import -> RootCertificate.cer

Used for authentication in a browser:

File -> Add or Remove Snap-ins -> Certificates -> Add -> My user account

Certificates - Current User -> Personal -> Certificates -> Right click -> All tasks -> Import -> localtestclientcert.pfx

Accessing your site now requires a client certificate that the server trusts:

If you have followed this guide and get an error like:

HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.

Or

HTTP Error 403.7 - Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

You might need to RESTART your computer. Note that it will not be enough to close iisexpress process or Visual Studio. The 500.19 can be solved without a restart but certificates are tricky, therefore the recommended approach is restarting your computer.

If you get the error The request was aborted: Could not create SSL/TLS secure channel it could be due to that the Application Pool does not have access to the specific certificate.

Certificates (Local Computer) -> Personal -> Certificates -> localtestclientcert -> Right click -> All tasks -> Manage private key -> Add IIS APPPOOL\YourWebSite and grant it Full control.