IIS Client Certificate Mapping Configuration
This document describes the steps required to configure IIS to use client certificate mapping. This allows a client to authenticate itself by presenting a specific required certificate.
Installation Steps
Install the Public Certificate in the Trusted Root Certification Authorities Store
- Run mmc.exe -> File -> Add/Remove Snap-in… -> Certificate -> Add. Choose Computer account -> Next -> Finish -> OK.
- Navigate to Trusted Root Certification Authorities -> Certificate folder.
- Choose menu option Action -> All Tasks -> Import.
- Click Next -> select public certificate file -> Next -> Next -> Finish.
- Close MMC.
Configure One-to-One Client Certificate Mappings
Add IIS Client Certificate Mapping Authentication through Server Manager -> IIS -> Server Roles under Web Server\Web Server\Security.
You can find information on how to do this at http://www.iis.net/learn/manage/configuring-security/configuring-one-to-one-client-certificate-mappings.
Get the Certificate Blob
The oneToOneMappings collection item has an attribute called certificate. The required value for this attribute is the actual certificate blob. Here's how to extract it.
- Right-click on your .cer file.
- Select Open With... in the context menu.
- Select Notepad from the list of other programs and click OK. [Note: Notepad may be hidden beneath a dropdown in the Vista/Windows 2008 list view.]
- Remove -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----.
- Format the certificate blob so it is a single line.
- Save this file as clientCertBlob.txt.
This is an example of what should display in Notepad in Step 3
-----BEGIN CERTIFICATE-----
MIIEfjCCA2agAwIBAgIKFW1IXAAAAAAAAjANBgkqhkiG9w0BAQUFADAbMRkwFwYD
VQQDExBJSVNSZW1vdGVNZ3JUZXN0MB4XDTA4MDIxMTIxNTk1NloXDTA5MDIxMTIy
MDk1NlowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
BAcTB1JlZG1vbmQxDTALBgNVBAoTBE1TRlQxDDAKBgNVBAsTA0lJUzEVMBMGA1UE
AxMMUkxVQ0VSTzItSUlTMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611j
34q2qQgHa7ao11TcQMDYlJMrqET05MWFY1/Vso+leujLoIGTfdHOuz4IBVoeUE+y
mlL8r53s2BQeVFROnDtg4Jko1zJsz7AUAnQNBk/GYA1AHYmhY79Z0p1KXW/wSTJB
tdUn732GQOqYf4wY8jOD2zUJDUG4HXm6ib8ajwIDAQABo4IB+TCCAfUwDgYDVR0P
AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkw
DgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYI
KoZIhvcNAwcwHQYDVR0OBBYEFHbHA+HwZcIrslklj1W3O23UFrBgMB8GA1UdIwQY
MBaAFMxzlGbmkp2+phhDg7TPfi83d7UVMHMGA1UdHwRsMGowaKBmoGSGL2h0dHA6
Ly9paXNzYjMwNS9DZXJ0RW5yb2xsL0lJU1JlbW90ZU1nclRlc3QuY3JshjFmaWxl
Oi8vXFxpaXNzYjMwNVxDZXJ0RW5yb2xsXElJU1JlbW90ZU1nclRlc3QuY3JsMIGe
BggrBgEFBQcBAQSBkTCBjjBEBggrBgEFBQcwAoY4aHR0cDovL2lpc3NiMzA1L0Nl
cnRFbnJvbGwvaWlzc2IzMDVfSUlTUmVtb3RlTWdyVGVzdC5jcnQwRgYIKwYBBQUH
MAKGOmZpbGU6Ly9cXGlpc3NiMzA1XENlcnRFbnJvbGxcaWlzc2IzMDVfSUlTUmVt
b3RlTWdyVGVzdC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAEsSkcx0re36IL80UphJ
w/srR3LBsy8sfwqxBMzMTdF7k6jYtUVpn3D2Dd4JXXVOaEVud9YNn9pr6xJL4t79
Zh+hJzIPA5pQLbccx4vjWB4cWEYxzcoKYCuUdZrfPFXO1a5kQAj8IZ0/6bhMceyR
Z7dRDoaIuAGQLFAlC/KjIBCemDi54MlWtvATQ8bmiRuEOWeneK2Vd2e0fxyezk05
dRqa8DEC74CQN4rQuz395ECm+M/hQnN+dHOygV8n9swd0bdNq8qypwfVUes5HIpj
LFmKTuGyFSVj7jv+64oTxvxtYX2QFp9q6Bi+qj0uyrX8Xjxy5rPSVPEfnxPCBg58
RCI=
-----END CERTIFICATE-----
Enabling IIS Client Certificates Mapping Authentication and One-to-One Certificate Mapping for a Website
The next steps describe how to enable the Client Certificate Mapping Authentication feature, One-to-One Certificate Mapping, and add a mapping entry.
- Start Inetmgr, the IIS Manager UI.
- Select the SSL website that is being configured, and open Configuration Editor.
- Type the following in the Section dropdown box:
system.webServer/security/authentication/iisClientCertificateMappingAuthentication
- Select the enabled field and change the value to true.
- Select the oneToOneCertificateMappingsEnabled property grid entry and change the value to true.
- Select the oneToOneMappings property grid entry and click Edit Items... in the Actions task pane.
- Click Add in the Collection Editor task list.
- Copy the single-string certificate blob from above and paste it into the certificate field.
- Set the userName and password that clients will be authenticated as.
- Set the enabled field to true.
- Close the Collection Editor.
- Click Apply in the Actions task pane. [Note: Click Script Generation prior to clicking Apply to get scripts for this process.]
Once you have completed these steps, the server is configured to handle IIS Client Certificate Mapping authentication with a single, one-to-one certificate mapping entry.
Enabling Client Certificate Authentication for a Website Using SSL
Once you have created a mapping and enabled the feature, you must configure your site to use client certificates. Perform the following steps to do this.
- From within Inetmgr, the IIS Manager UI, select the SSL website for which you want to use client certificates.
- Select the SSL UI module.
- Under Client certificates select the Accept radio button.
- Click Apply in the Actions task pane.
You have now configured the website to accept and authenticate clients based on client certificates.
Using Client Certificates in Standard LogicNets Applications
DesignerStarter
By default, the DesignerStarter supports setting up a connection to a Document Management System (DMS) using a secure HTTPS connection. It uses client certificates for authorization when they have been configured. The following steps explain how to set this up.
- Make sure the DMS has client certificate mapping set up.
- Copy the DMS server certificate, which is used to validate the certificate received from the server, to <your installation>/dat/certificates/server.crt. This should be in the base64-encoded format.
- Copy your client certificate, which is used to authenticate LogicNets to <your installation>/dat/certificates/client.crt.
- Copy your non-password-protected client private key, which is used to encrypt the certificate, to <your installation>/dat/certificates/client_private_key.pem.
- Open the LogicNets configuration file (/system/lib/sys/settings.cfg) or create/adapt the company-specific configuration file (/dat/bnt/<company>/settings.cfg) and check/update the paths in the _context / DesignerStarter section.