0

I have a ASP.NET web application host on Windows Server 2008 IIS7, everythings work well.

I want to deny the user without SSL cert install in browser (IE/Firefox etc)

for example, there are 10 staffs allow to access this website. I had do the following.

  1. Using OpenSSL generate a pkcs12 cert (*.pfx)
  2. Using IIS Server Manager install the pfx.
  3. bind the site to https and select the server cert installed on (2.)
  4. On the Sites -> SSL Settings -> checked the require SSL w/require selection.

It seem works, IIS response:

403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

but how can i generate the ssl cert for these 10 users to install to their browser? using OpenSSL seem cannot generate *.crt from *.pfx.

thanks

kband
  • 459
  • 2
  • 6
Cheung
  • 135
  • 1
  • 1
  • 7

1 Answers1

0

A pfx contains both a key and a certificate, you need to export both to a PEM then if required extract the crt from the PEM.

openssl pkcs12 -in mycert.pfx -out mycert.pem

However you probably want to switch to (if not using already) "proper" client side certificates based on the server certificate.

This link has some information on the topic (for Apache/OpenSSL but probably similar on IIS): http://www.freebsddiary.org/openssl-client-authentication.php

HampusLi
  • 3,478
  • 17
  • 14