• IIS Admin Blog

  • How to Secure a Web Site Using Client Certificate Authentication

8th October 2007

How to Secure a Web Site Using Client Certificate Authentication

posted in IIS 6.0 |

Select Computer Account and click Next. Select Local Computer and click Finish. Click Close and then OK. In order to create the chain of trust we need to add the self-signed certificate to the Trusted Root Certification Authorities store. To do this right-click on the certificates folder and click All Tasks, Import which will invoke the Certificate Import Wizard.

Fig. 17

Click Next and then browse to the location of the certificate you wish to import. Click Next and then click Next again to accept the default certificate store. Then click Finish to complete the import. You can now install the self-signed client certificate into the User’s personal certificate store as the chain of trust is complete and the certificate will be trusted.

On the client machine where the certificate is to be used, log on as the user who will be using the certificate and open Internet Explorer. Click Tools, Internet Options and click the Content tab.

Fig. 18

Click Certificates and on the Personal tab click Import to invoke the Certificate Import Wizard. Browse to the location of the .PFX file containing the client certificate and click Open then Next. Enter the relevant password details and check the Mark this key as exportable tick-box. Do not check the Enable strong private key protection tick-box

Fig. 19

Click Next and accept the default certificate store and then click Next and then Finish to complete the certificate import. You should now see the certificate in the user’s personal certificate store.

Fig. 20

# Note – You need to ensure that the User’s certificate store on the client machine contains the private key of the client certificate. If it doesn’t you won’t be able to establish a successful handshake and the connection will fail. If you highlight the certificate and click View you should see that the certificate has a private key. Refer to KB article 907274 if you don’t understand this.

Fig. 21

Pages: 1 2 3 4 5 6

This entry was posted on Monday, October 8th, 2007 at 2:24 pm and is filed under IIS 6.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

There are currently 6 responses to “How to Secure a Web Site Using Client Certificate Authentication”

Why not let us know what you think by adding your own comment! Your opinion is as valid as anyone elses, so come on... let us know what you think.

  1. 1 On January 21st, 2009, Rick said:

    Thank you for the quality hard work that you’ve completed on this website. Many of your articles have been very beneficial.

    I am currently working on a project that combines two of your articles.

    1) Use Isapi Redirect to run tomcat through IIS
    2) Use Client Certificates for security in IIS (this one)

    I have been able to successfully complete both of these tasks separately, but have been unable to complete them together. Would there be additional steps needed to complete this task?

    Thank you for any light you can shed.


  2. 2 On May 29th, 2009, Patrick said:

    Thank you, this is great information. It allowed me to get most of the configuration. However, I can not get either to work. I get a Bad Gateway. error 502.


  3. 3 On May 11th, 2010, Marc said:


    Thanks for a great blog. Have you ever configured both client certificate authentication as well as having the certificate passed to a Tomcat app server? What is required to get IIS to send the cert to Tomcat so it can be read from the request?


  4. 4 On December 5th, 2011, Lydon said:

    Very glad I found your guide! But having some issues. Would you consider doing an updated version of this guide for the newer versions of Sever and IIS?

  5. 5 On December 14th, 2011, Eric Belair said:

    I setup client certificate authentication using these instructions, only I did it on one directory, instead of an entire website. However, I am getting a HTTP 403.7 error when I try to request a page in the directory. I have the client cert in my PC store. I noticed that it doesn’t have a private key – is this absolutely essential?

  6. 6 On December 14th, 2011, Eric Belair said:

    Nevermind, I just realized that the cert they gave us is only the public one – they can’t share the private one. So, I have no way to properly test this for now.

Leave a Reply

You must be logged in to post a comment.

  • Calendar

  • March 2018
    M T W T F S S
    « Sep