Re: using Multiple client certificates

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Jason,
\par
\par Thanks for the response.
\par When there're multiple client certificates added to HttpWebRequest, the webrequest component will send only one of them to IIS server. So IIS won't know how many certificates we provided in the clientside HttpWebRequest components since IIS server only receive one client certificate. In addition, as for how the HTTPWebRequest choose the client certificate, it is undocumented currently , so we can not rely on this behavior, I think the normal behavior should be choosing the first one in the collection. Anyway, I don't think the httpwebrequest will loop through all the certificates and try all of them until find the one that match the requirement. So when usign HttpWebRequest which need to send client certificate, we should always attach the qualified certificate at the first time.
\par
\par Thanks,
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par
\par
\par \pard\li720 --------------------
\par From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par References: <OwuNjI4zFHA.268@xxxxxxxxxxxxxxxxxxxx> <mg2r2l8zFHA.3908@xxxxxxxxxxxxxxxxxxxxx>
\par Subject: Re: using Multiple client certificates
\par Date: Thu, 13 Oct 2005 15:06:28 -0400
\par Lines: 80
\par X-Priority: 3
\par X-MSMail-Priority: Normal
\par X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par Message-ID: <OQtw0kC0FHA.1256@xxxxxxxxxxxxxxxxxxxx>
\par Newsgroups: microsoft.public.dotnet.framework.webservices
\par NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
\par Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.dotnet.framework.webservices:8215
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
\par
\par Hi Steven,
\par thanks, so when there are multiple client certificates added to
\par HttpWebRequest, how does IIS and the client figure out which one to pick?
\par will IIS randomly pick one? is there any way I can control which one will be
\par picked?
\par
\par thanks,
\par -Jason
\par
\par "Steven Cheng[MSFT]" <stcheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
\par news:mg2r2l8zFHA.3908@xxxxxxxxxxxxxxxxxxxxxxxx
\par > Hi Jason,
\par >
\par > As for the HttpWebRequest, though it has provide a Certificate Collection
\par > property for multiple X509 certificates, when the component actual send
\par > request and establish SSL connection with the serverside, only one of them
\par > will be used and sent to serverside. So the server applcation (IIS or
\par > ASP.NET) will only see single client certificate. And by default IIS
\par > dosn't have any particular checking on the client certificate , but we can
\par > add restrcition on clientside certificate(use the IIS's trusted
\par certificate
\par > List) , thus if the clientside certificate(its CA) dosn't meet the
\par > requirement, the secuire connection establishing will fail.
\par >
\par > So generally, only one client certificate is enough as long as its a
\par > qualified one for serverside. Also, when we visist a SSL protected
\par > page(which require client certificate) in IE browser, the browser will
\par > popup the dialog to let the client user choose a certain client
\par certificate
\par > for sending to server.
\par >
\par > Thanks,
\par >
\par > Steven Cheng
\par > Microsoft Online Support
\par >
\par > Get Secure! www.microsoft.com/security
\par > (This posting is provided "AS IS", with no warranties, and confers no
\par > rights.)
\par >
\par >
\par >
\par >
\par >
\par > --------------------
\par > From: <jason.chen@xxxxxxxxxxxxxxxxx>
\par > Subject: using Multiple client certificates
\par > Date: Wed, 12 Oct 2005 19:10:27 -0400
\par > Lines: 15
\par > X-Priority: 3
\par > X-MSMail-Priority: Normal
\par > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
\par > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
\par > Message-ID: <OwuNjI4zFHA.268@xxxxxxxxxxxxxxxxxxxx>
\par > Newsgroups: microsoft.public.dotnet.framework.webservices
\par > NNTP-Posting-Host: a7cebc03.cst.lightpath.net 167.206.188.3
\par > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
\par > Xref: TK2MSFTNGXA01.phx.gbl
\par > microsoft.public.dotnet.framework.webservices:8203
\par > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
\par >
\par > Hi all,
\par > HttpWebRequest, and SoapHttpClientProtocol both expose a
\par > ClientCertificates property, which can hold multiple client certificates,
\par > but on the service side, it can only receive one client certificate, since
\par > it derives System.Web.Services.WebService class, and it's
\par > Context.Request.ClientCertificate is a single HttpClientCertificate
\par object,
\par > is there a way to receive all the client certificates that is sent in the
\par > request? or does IIS automatically decide which client certificate to use
\par > during the SSL handshake? if so, is there a way to control which client
\par > certificate to use during the SSL handshake?
\par >
\par > thanks,
\par > -Jason
\par >
\par >
\par >
\par
\par
\par \pard
\par
\par }
















Relevant Pages

  • Re: using Multiple client certificates
    ... so when there are multiple client certificates added to ... how does IIS and the client figure out which one to pick? ... > will be used and sent to serverside. ... > dosn't have any particular checking on the client certificate, ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: Certificate Server, IE6 headachches
    ... requesting for a client certificate. ... >IIS Newsgroup Support ... Microsoft, call ...
    (microsoft.public.inetserver.iis.security)
  • A certificate is required to complete client authentication msxml3.dll (0x80072F
    ... I am using this code to send the client certificate to ... and i run the asp page ... I have installed client certificate as the way Microsoft ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 6.0 cannot download a Verisign CRL !!
    ... Does the IIS server have outbound permission through its proxy? ... > using Verisign client certificates for a .NET application. ... > The revocation function was unable to check revocation because the ... > Your client certificate was revoked, or the revocation status could not ...
    (microsoft.public.security)
  • RE: Set client certificate is IIS
    ... Install Client Certificate on IIS Server for ServerXMLHTTP ... |>This example uses a serialized certficate store because ...
    (microsoft.public.inetserver.iis.security)