Select Client Certificate list empty

J

Jorge Balderas

I have installed at least 2 different client certificates (on a Windows 2000
box), I can see them in the 'Personal certificate store'. It shows that I
have the private key that corresponds to the certificate. It shows 'Client
Authentication' in the intended purposes. However when I try to hit a site
through IE 6 that has been configured to accept client certificates (on
IIS), the Client Authentication box that prompts to select a client
certificate is empty! I believe my client certificates are properly
installed, please let me know what to try to get the certificates to show in
that list.

Thanks,
Jorge Balderas
 
S

Steve Cook

Make sure the CA certificate has been installed as a trusted root in the
machine store on the web server. For a Microsoft Certificate Server, you can
generally get this certificate by browsing to http://<server ip
address>/certsrv/certcarc.asp. Save the certificate to a file. To this
install this certificate in the web server's trusted root store, open an MMC
console and add the Certificates snapin. You'll be prompted to select
whether the console is for "My User Account", "Service Account" or "Computer
Account." Select "Computer Account". You want to target the "Local
Computer". In the console, select and expand the "Trusted Root Certificate
Authorities" and then highlight and right-click on Certificates in the left
pane. Select "All Tasks"/"Import..." and follow the instructions to install
your CA as a trusted root.

Your web server should be able to see at least one of the CRL distribution
points listed in the user certificates. If a CRL can't be reached the web
server will assume that the client certificate has been revoked.

To tighten up the web server you can set a Certificate Trust List through
the IIS Admin Console. Add your certificate authority to the list and only
certificates it has issued will be accepted.

If you use a root CA with one or more subordinate CA's, the root CA
certificate should be the one added to the trusted root list on the web
server and should be the CA placed in your Certificate Trust List.
Certificates issued by your subordinate CA's will be accepted because they
are traceable to the root CA.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SSL Client certificate in IIS 6.0. Different root CAs? 2
EFS encrypted files are not accessed through network on Win2K server 3
How do you issue a new Root CA Certificate EXPIRATION? 0
EFS Auto enroll 0
Installed client certificates not showing up in personal store in IE 6 1
BUG?: Can't disable "Trusted" for Certificates Issued by MS CertificateServer 12
VPN Certificate 9
Renewing certificate 2

Top