For authorization, Web services often need to be able to authenticate their caller (other applications). The client certificate provides a very good authentication mechanism for Web services. If you use a client certificate, your application will benefit from the secure channel creation between the client application and the web service (using the security socket layer [SSL]). This way you can safely transfer confidential information between web services. SSL ensures the integrity and confidentiality of messages.
This "How to Do" includes a step-by-step instruction configured to configure a Web service that requires a client certificate.
Note: The information in this "How to do" is also suitable for remote components that are carried by IIS.
Claim
The following items describe the recommended hardware, software, network infrastructure, skills, and knowledge, and the service pack you need.
● Microsoft? Windows? 2000 Server operating system with Service Pack 2
● Microsoft Visual Studio? Net development system
● Access Certificate Authority (CA) to generate new certificates
● A web server that has been installed a server certificate
For more information on installing a Web Server certificate, see "How to Do" in this guide "Reference": Set SSL on the web server.
This "How to do" also requires you to have knowledge using Microsoft Visual C #? Development tools for ASP.NET Web development.
to sum up
This "how to do" includes the following procedure:
1. Create a simple web application
2. Configure the web application to need client certificates.
3. Require and install the client certificate
4. Verify client certificate operation
1. Create a simple web application
u Create a simple web application
1. Start Visual Studio .NET, create a new C # ASP.NET web application called SecureApp.
2. Drag and drop a tag control from the toolbox to the Webform1.aspx web form, and then set their ID attribute to Message.
3. Drag and drop a label to the WebForm1.aspx form, and then set their ID attribute to Certdata.
4. Add the following code to the Page_Load event.
String username;
Username = user.Identity.name;
Message.text = "Welcome" UserName;
HTTPCLIENTCERTIFICATE CERT = Request.ClientCertificate;
CERT.ISPRESENT
{
CERTDATA.TEXT = "Client Certificate Retrieved";
}
Else
{
CERTDATA.TEXT = "no client certificate";
}
5. In the "Build" menu, click Build Solutions.
6. Start Internet Explorer and navigate to http: //localhost/secureapp/webform1.aspx. The page should display "Welcome" message (not displaying the username, because the user has not authenticated) and "there is no client certificate".
7. Close Internet Explorer.
2. Configure the web application to need client certificates.
This process uses Internet Information Services (IIS) to configure the virtual directory of the web application to require a certificate.
This process assumes that you have a valid certificate on the web server. For more information on installing a web server certificate, see "How to do: Set SSL on the web server."
u Configure the virtual directory of the web application to require a certificate
1. Start IIS on the web service host. 2. Navigate to the SecureApp virtual directory.
3. Right-click SecureApp and click Properties.
4. Click the Directory Security tab.
5. Click Edit under "Secure Communication".
If you cannot use Edit, you may not have a web server certificate.
6. Select "Require Secure Channel (SSL) check box.
7. Select the "Requireable Client Certificate" option.
8. Click OK, then click OK.
9. In the Inherited Coverage dialog box, click All Select, and then click OK to close the SecureApp Properties dialog.
This will apply new security settings to all subdirectories in the virtual root directory.
10. To confirm that the Web site is configured correctly, start Internet Explorer and (using https) to navigate to https: //localhost/secureapp/webform1.aspx.
11. Internet Explorer Displays the Customer Authentication dialog box and requires you to choose a client certificate. Because you have not already installed a client certificate, click OK to confirm that the display notifies that the page requires an error page for the client certificate.
12. Close Internet Explorer.
3. Require and install the client certificate
This process installs the client certificate. You can use certificates from any certificate authority, you can also use the Microsoft certificate service as described later in the following sections to generate your own certificates.
This process assumes that the Microsoft certificate service is configured for the application, which requires administrators to issue a certificate. It can also be configured to automatically issue certificates for certificates. u Check the certificate application status setting
1. On the Microsoft Certificate Services computer, select Certificate Authority from the Administrative Tools program group.
2. Expand the Certificate Authority (Local) ", right-click the certificate authority and click Properties.
3. Click the Policy Module tab, and then click Configure.
4. Check the default operation. The following procedure assumes that "set the certificate application status". Select "Administrator must issue a certificate".
u Apply for client certificates
1. Start Internet Explorer and navigate to http: // hostname / certificaterv, where Hostname is the name of the computer that is installed in the Microsoft certificate service.
2. Click "Application Certificate" and click Next.
3. On the Select Application Type page, click User Certificate, and then click Next.
4. Click "Submit" to complete the application. 5. Close Internet Explorer.
u issued a client certificate
1. Launch the Certificate Authority tool from the Administrative Tools program group.
2. Expand your certificate authority and select the "To Apply" folder.
3. Select the certificate application you just submitted to point to "All Tasks" on the Actions menu, and then click "Profile".
4. Verify that the certificate is displayed in the "Automise" folder and double-click it to view.
5. On the Details tab, click Copy to File to save the certificate as the Base-64 encoded X.509 certificate.
6. Close the attribute window of the certificate.
7. Turn off the certification authority tool.
u Install client certificate
1. To view the certificate, start the Windows Explorer, navigate to the .cer file saved during the previous process, then double-click it.
2. Click "Install Certificate" and then click Next to "Certificate Import Wizard".
3. Select "Automatically select the certificate storage area according to the certificate type", and then click Next.
4. Click Finish to complete the wizard. Turn off the confirmation message box and click OK to close the certificate.
4. Verify the client certificate This procedure verifies whether you can access the SecureApp application using the client certificate.
u verify client certificate operation
1. Start Internet Explorer and navigate to https://localhost/secureapp/webform1.aspx.
2. Verify that the web page is successfully displayed.
Other resources
For more information, see "How to Do" in this guide ": Set SSL on the web server."
