How do I create client certificates for local testing of two-way authentication over SSL?

Question

I'm trying to set-up two-way authentication on a web app running on IIS7. The clients are going to mostly be mobile devices and in the first instance I'm trying to get a demo running using a 3rd generation iPad. I thought I'd start with getting it running on my workstation (which is also running IIS) first and then copy the working certificate over the the iPad.

However I've hit a wall.

I've got as far as having the site running securely over https and have installed a self-signed server certificate, however I can't seem to figure out how to generate a client certificate which I can install on the iPad. As I'm working on a local workstation running Windows 7 I can't use the usual http://machinename/CertSvr to do this.

So I'm wondering if there a way of getting makecert to generate test client certificates or whether I can change the usage flag in the server certificate to make it suitable for use on the client. Or perhaps there is some tool which the last day of Googling has not yet discovered?

Update:

I found this guide and followed it to the letter. It all seemed to work, no errors, and I ended up with two pfx files, one for the server and one for the client (I generated these using pvk2pfx and kept the original .pvk and .cer files just in case).

I installed the server certificate under Certificates (Local Computer) > Trusted Root Certification Authority and installed the client certificate under Certificates (Current User) > Personal. I have also imported the server certificate (the CA one) into IIS. It all works fine when IIS is configured to accept or ignore client certificates. However once it is set to 'Require' I'm getting a 403.7 when requesting the site. I've also tried importing the client certificate to the certificates store in IE/Chrome but again no dice.

Is there something obvious I'm doing wrong?

Answer 1

Enable client certificates on local IIS Express:

Change \YourSlnFolder\.vs\config\applicationhost.config -> <section name="access" overrideModeDefault="Deny" /> to <section name="access" overrideModeDefault="Allow" />

<sectionGroup name="system.webServer">
...
  <sectionGroup name="security">
  ...
    <section name="access" overrideModeDefault="Allow" />

Then edit your Web.config like this:

<configuration>
    <system.webServer>
        <security>
            <access sslFlags="SslRequireCert" />
        </security>
    </system.webServer>
</configuration>

Enable client certificates on IIS:

Go to web site in IIS Manager and click on SSL Settings. Then set the application as Require SSL and Require client certificates.

Creating new certificates:

Start VS developer command prompt

Root certificate:

makecert.exe -r -n "CN=TestRootCertificate" -pe -sv TestRootCertificate.pvk -a sha1 -len 2048 -b 01/01/2017 -e 01/01/2030 -cy authority TestRootCertificate.cer

Type your password.

Create a Certificate Revocation List (CRL)

makecert -crl -n "CN=TestRootCertificate" -r -sv TestRootCertificate.pvk TestRootCertificate.crl

Bundle to .pfx (pvk2pfx.exe requires "Desktop development with C++" installed for VS2017)

pvk2pfx.exe -pvk TestRootCertificate.pvk -pi {password} -spc TestRootCertificate.cer -pfx TestRootCertificate.pfx

Client certificate from root certificate:

makecert.exe -ic TestRootCertificate.cer -iv TestRootCertificate.pvk -pe -sv localtestclientcert.pvk -a sha1 -n "CN=localtestclientcert" -len 2048 -b 01/01/2015 -e 01/01/2030 -sky exchange localtestclientcert.cer -eku 1.3.6.1.5.5.7.3.2

Type your password.

pvk2pfx.exe -pvk localtestclientcert.pvk -pi {password} -spc localtestclientcert.cer -pfx localtestclientcert.pfx

Import the certificates.

Start mmc.exe.

File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer

Certificates (Local Computer) -> Personal -> Certificates -> Right click -> All tasks -> Import -> localtestclientcert.pfx

Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates -> Right click -> All tasks -> Import -> RootCertificate.cer

Used for authentication in a browser:

File -> Add or Remove Snap-ins -> Certificates -> Add -> My user account

Certificates - Current User -> Personal -> Certificates -> Right click -> All tasks -> Import -> localtestclientcert.pfx

Accessing your site now requires a client certificate that the server trusts:

If you have followed this guide and get an error like:

HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.

Or

HTTP Error 403.7 - Forbidden
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

You might need to RESTART your computer. Note that it will not be enough to close iisexpress process or Visual Studio. The 500.19 can be solved without a restart but certificates are tricky, therefore the recommended approach is restarting your computer.

If you get the error The request was aborted: Could not create SSL/TLS secure channel it could be due to that the Application Pool does not have access to the specific certificate.

Certificates (Local Computer) -> Personal -> Certificates -> localtestclientcert -> Right click -> All tasks -> Manage private key -> Add IIS APPPOOL\YourWebSite and grant it Full control.

Answer 2

Maybe this didn't exist when you asked this question but microsoft now has a GUIDE for doing exactly this. Easy to follow and worked perfectly for me!