IIS 7 and Above
Client authentication with intermediate CA: access to certs from TLS...
Last post Nov 20, 2019 09:06 AM by Jalpa Panchal
Nov 08, 2019 03:36 AM|Markus Horstmann|LINK
We are designing a client authentication system around (self-issued) certificates where we want a three-level hierarchy:
1) Root CA (our own)
2) Intermediate Certificate
3) Device/Client Certificate
We only want to install the Root CA on the Server(s) for a variety of reasons (potentially large # and changing set of Intermediate Certificates being the main one).
We are able to make this work with IIS 10 / ASP.Net, presumably because the clients send the entire certificate chain in the standard TLS client auth handshake as per RFC5246 7.4.6 / 7.4.2, and IIS considers the certificate valid even without the missing
Problem: We would like to do custom validation on the Intermediate Certificates and have not been able to find a way to access the certificate chain that is sent by the clients.
Question: Is there any way to access the client cert chain provided in the TLS handshake in ASP.Net? Can this be done with any other handler/module?
Nov 11, 2019 02:47 AM|Jalpa Panchal|LINK
You could use many to one client certificate binding in iis. The <manyToOneMappings> element of the <iisClientCertificateMappingAuthentication> element maps multiple client certificates to a user account based on criteria in the client's browser certificate.
To do that you need to enable the IIS Client Certificate Mapping Authentication feature.
for how to access by using asp.net you could ask this question on asp.net forum.
IIS Client Certificate Mapping Authentication
Nov 13, 2019 06:24 AM|Jalpa Panchal|LINK
You could use System.Web.HttpContext.Current.Request.ClientCertificate to get the certificate detail by using asp.net.
you could refer to this post for more detail.
Nov 14, 2019 12:06 AM|Markus Horstmann|LINK
Thanks for your answers. We are using System.Web.HttpContext.Current.Request.ClientCertificate but it only returns the actual client certificate, not the other certificates in the cert chain, even though we see that the server (or http.sys/schannel)
is receiving the entire chain in the TLS handshake and is even using it for it's own chain verification. The chain just doesn't seem to get bubbled up anywhere into IIS or ASP.Net.
Nov 20, 2019 09:06 AM|Jalpa Panchal|LINK
you could try to use Issuer property of HttpClientCertificate.
please refer the below link for more detail.
try to use another property to get the certificate chain.