Does IIS allow the client to use a server certificate as client certificate?

Question

This is a follow-up question of Use Server Certificate As Client Certificate. I know that you SHOULD use client certificate for client authentication. It seems that some servers allow the client to present a certificate that is actually a "server certificate" (OID - 1.3.6.1.5.5.7.3.1).

My question is particularly whether IIS allow that? Is there a configuration that decides this behaviour?

If IIS ever allowed that, Microsoft customers might have reported such as bugs a long time ago. — Lex Li, Mar 04 '21 at 13:57

score 0 · Answer 1 · answered Mar 04 '21 at 08:44

0

Client authentication vs server authentication is different processes. these two types of certificates have very specific purposes, and they cannot be used in place of one another.

A server certificate is used to authenticate the server's identity to the client and perform encryption on data-in-transit to assure data confidentiality.

A client certificate is used to authenticate the client or user identity to the server and does not encrypt any data, it only serves as a more secure authentication mechanism than passwords.

answered Mar 04 '21 at 08:44

samwu

3,857
3
11
25

It is a server implementation detail. I know some servers (arguably not strictly following the RFCs) do allow that. That is why I am asking in particular whether IIS allows that and if it does is there a configuration for it. – Devs love ZenUML Mar 04 '21 at 11:09
It is impossible to do in iis. – samwu Mar 05 '21 at 08:47
Again, the server certificate cannot be used as a client certificate. – samwu Mar 05 '21 at 09:00
Sorry, I read your previous comment wrong :) – Devs love ZenUML Mar 05 '21 at 09:01

Does IIS allow the client to use a server certificate as client certificate?

1 Answers1