On IIS 7.5, with client authentication by certificate, how to enable logging of client certificate's thumbprint (or serial, or subject dn) to IIS log?
Asked
Active
Viewed 2,344 times
4
-
I don't know why this was marked down; its an entirely sensible question for SSL client certificate authentication. – Cameron Kerr Apr 10 '15 at 10:28
2 Answers
2
While I am not proficient in IIS in particular (I deal with Apache mostly), I would expect this is be a custom logging sort of thing.
The following page documents some of the advanced logging functionality of IIS; while it doesn't show SSL things in the screenshots, it may still be useful.
http://www.iis.net/learn/extensions/advanced-logging-module/advanced-logging-for-iis-custom-logging
Note also the doucmentation around IIS server variables, which I would expect to be able to be logged in a custom logging situation.
https://msdn.microsoft.com/library/ms524602.aspx
That page does list various Client Authentication server variables.
Cheers, Cameron
Cameron Kerr
- 4,069
- 19
- 25
1
You can use server variables to log a CERT_COOKIE (unique identifier) and the incoming subject and the issuer subject of the certificate.
However, the CERT_Cookie is generated by IIS and does not contain the thumbprint.
Possible values in the advanced logging (logging tools) settings: https://docs.microsoft.com/en-us/iis/web-dev-reference/server-variables
(So it still remains a mystery to us why our CA certificate is rejected.)
Remco
- 111
- 3