none
Certificate Client Authentication with Server Certificate RRS feed

  • Question

  • Hi, we have a situation. We have a internet facing asp.net web-app on IIS 7 configured with a SSL Certificate for https access.

    The same web-app needs to access a Web-Service from another external domain (becomes a web-svc client), and they want us to use Client-Cert to authenticate against their server, and so want us to send our servers-cert with public key. We exported out server cert, but they don't want a server cer which was issued for All Purposes i.e. server-auth, client-auth etc. They want us to send a cert which is only for client-auth, so that they can be 100% sure its only us making the request.

    How can we resolve this? Is it possible to have multiple certificates for same domain but with different purposes? Any other work-around?

    - Satish

    Tuesday, February 25, 2014 7:10 PM

Answers

  • Hi,

    >>Is it possible to have multiple certificates for same domain but with different purposes?

    It seems that the answer is Yes and No.

    The Yes is It's possible to have multiple certs that all have the same domain name on it.  You could have a Comodo example.org cert and an Entrust example.org cert, both of them valid and official, no problem. I believe some load balancers will rotate which one is used on a per-connection basis, but only in a round-robin fashion.

    The No is that you're asking if you can select which cert to use based on the URI (/ vs. /criticalpath).  The problem is, the URI is only available after the SSL connection has been nailed up using one of the two certs.  So you can't really choose which cert to use based on information you can only have after you've chosen the cert.

    >>but they don't want a server cer which was issued for All Purposes i.e. server-auth, client-auth etc. They want us to send a cert which is only for client-auth, so that they can be 100% sure its only us making the request.

    If I do not misunderstand you, we can distinguish between Client and Server Certificates, for more information, please try to check the following:
    http://blogs.msdn.com/b/kaushal/archive/2012/02/18/client-certificates-v-s-server-certificates.aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by SKBG Wednesday, February 26, 2014 1:19 PM
    Wednesday, February 26, 2014 5:53 AM
    Moderator