• IIS Admin Blog

  • How to Secure a Web Site Using Client Certificate Authentication

8th October 2007

How to Secure a Web Site Using Client Certificate Authentication

posted in IIS 6.0 |

Install the Server Certificate

We start by installing the server certificate on the web server. You will need a valid server certificate at this point – if you don’t have access to one you can use the SelfSSL utility from the IIS6 Resource Kit Tools to generate one for your site. You can download the IIS 6.0 Resource Kit tools here :


To install the server certificate Right-click the web site, click properties and then click Directory Security. Under Secure Communications click Server certificate which will invoke the Web Server Certificate Wizard. Click Next. There are a number of options you can choose here – I am going to import my web server certificate from a .PFX file which I already have, so I click the appropriate option and click Next

Fig. 11

Browse to the location of the .PFX file and select it. It’s also a good idea to mark the private key as exportable so that you can make a backup of it if you need to. Enter the password if prompted to do so and click Next

Fig. 12

Enter the port which this web site will use for SSL, the default being port 443 and click Next. You will see a summary of the certificate details and then click Next

Fig. 13

You should now be able to click the View Certificate button under Secure Communications and view the details of the installed certificate. You should also now be able to issue an HTTPS request to the web site on port 443. You should still be prompted to enter the ‘certuser’ credentials as above because the only change we have made to the web site at this stage is to enable (but not require) SSL.

Still in the click Directory Security tab under Secure Communications click Edit and then tick the Require secure channel (SSL) and the Require 128-bit encryption tick-boxes and click OK

Fig. 14

The web site will now only accept HTTPS connections – if you try to browse using HTTP you will see “The page must be viewed over a secure channel” 403.4 – SSL required status code.

Install the Client Certificate

The next step is to Install the client certificate on the client machine and export the public key for use on the web server.

# Note – In this example I am going to be using a self-signed client certificate (i.e one which hasn’t been issued by a trusted Certificate Authority) so I am going to have to take an extra step to create a chain of trust for the certificate on both the client machine and the server. If you are using certificates from a CA which your machines trust you won’t need to perform these extra steps. If you use a self-signed certificate and don’t follow these steps then you will see an error when you view your certificates’ properties which informs you that the CA Root certificate is not trusted, as shown here

Fig. 15

On the client machine where the client certificate is going to be installed open up the Certificates MMC snap-in for the local machine store. Click Start, Run, type MMC and then click OK. Click File, Add/Remove Snap-In. Click Certificates and then click Add.

Fig. 16

Pages: 1 2 3 4 5 6

This entry was posted on Monday, October 8th, 2007 at 2:24 pm and is filed under IIS 6.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

There are currently 6 responses to “How to Secure a Web Site Using Client Certificate Authentication”

Why not let us know what you think by adding your own comment! Your opinion is as valid as anyone elses, so come on... let us know what you think.

  1. 1 On January 21st, 2009, Rick said:

    Thank you for the quality hard work that you’ve completed on this website. Many of your articles have been very beneficial.

    I am currently working on a project that combines two of your articles.

    1) Use Isapi Redirect to run tomcat through IIS
    2) Use Client Certificates for security in IIS (this one)

    I have been able to successfully complete both of these tasks separately, but have been unable to complete them together. Would there be additional steps needed to complete this task?

    Thank you for any light you can shed.


  2. 2 On May 29th, 2009, Patrick said:

    Thank you, this is great information. It allowed me to get most of the configuration. However, I can not get either to work. I get a Bad Gateway. error 502.


  3. 3 On May 11th, 2010, Marc said:


    Thanks for a great blog. Have you ever configured both client certificate authentication as well as having the certificate passed to a Tomcat app server? What is required to get IIS to send the cert to Tomcat so it can be read from the request?


  4. 4 On December 5th, 2011, Lydon said:

    Very glad I found your guide! But having some issues. Would you consider doing an updated version of this guide for the newer versions of Sever and IIS?

  5. 5 On December 14th, 2011, Eric Belair said:

    I setup client certificate authentication using these instructions, only I did it on one directory, instead of an entire website. However, I am getting a HTTP 403.7 error when I try to request a page in the directory. I have the client cert in my PC store. I noticed that it doesn’t have a private key – is this absolutely essential?

  6. 6 On December 14th, 2011, Eric Belair said:

    Nevermind, I just realized that the cert they gave us is only the public one – they can’t share the private one. So, I have no way to properly test this for now.

Leave a Reply

You must be logged in to post a comment.

  • Calendar

  • March 2018
    M T W T F S S
    « Sep