Client Certificate


B

BC

Hi everybody,

I am building a HTTPS web application for our own staff to access the
company's web server through the Internet. The web server is running IIS
5.0 on a W2K box. The web server is installed with a server certificate,
and the user's browser needs a client certificate to be authenticated by the
server. The HTTPS web server is configured with Many-to-one mapping
specifying that a certificate meets certain criteria (for instance, a
specific Certificate Authority - CA - issued by our own Microsoft
certificate server). My question is whether an authorized person can use a
pseudo Proxy server or other tools to fake a web page message containing the
HTTP header of a valid client certificate. Will the web server be able to
tell whether the challenged browser does not contain the valid client
certificate, when the challenge message is being sent back to that fake web
page.

Thanks a lot.

BC
 
Ad

Advertisements

D

David Cross [MS]

No, this will not work - the private key is required to sign data back to
the server to provide proof of possession:

"My question is whether an authorized person can use a
pseudo Proxy server or other tools to fake a web page message containing the
HTTP header of a valid client certificate. "
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top