IIS 7 and Above
Use client certificate for mutual authentication without trusting the...
Last post Feb 09, 2018 08:19 AM by rdebruyn
Feb 08, 2018 04:24 PM|rdebruyn|LINK
Is it possible to configure IIS / Windows to use and trust a client certificate for mutual authentication without trusting the root certificate authority.
An external party has a certificate which was issued by their internal self signed CA. I don't want to add their CA root certificate to my server's Trusted Root CA's but rather just trust this one individual certificate. If I add their certificate to the
Trusted People store the certificate is valid on the server but IIS still ignores it and returns a 403.7
Adding the client certificate to the Trusted Root CA's only works for self-signed certs.
I've done a lot of reading and tried various options, turning CTL off, Changing the CTL Store to ClientAuthList and only install the client certificate in the ClientAuthList but nothing I tried so far worked and I'm starting to think that it's not possible.
Feb 09, 2018 06:06 AM|Yuk Ding|LINK
I think it is unavailable to use client certificate without adding it to trusted root CA. IIS authenticate the certificate it will also verify the trusted root CA zone, if the certificate is not trusted. Then it will return 403 error. In addition, use a
untrusted client certificate for client authentication also could not promise the security for the connection.
So if you require to use client certificate, I recommend you to apply the trusted CA and use it for client authentication.
Feb 09, 2018 08:19 AM|rdebruyn|LINK
I agree, I don't think it's possible. We will ask the external party to get a valid certificate from an Public CA.