• IIS Admin Blog

  • How to Secure a Web Site Using Client Certificate Authentication

8th October 2007

How to Secure a Web Site Using Client Certificate Authentication

posted in IIS 6.0 |

Install the Client Certificate (Public Key only) on the web server.

In order for the client certificate to be recognized we need to export the certificate’s public key from the client machine and import it on the web server. On the client machine navigate to Internet Explorer, Tools, Internet Options, Content, Certificates. Highlight the client certificate and then click Export to invoke the certificate Export Wizard. Click Next to begin the export and then ensure that do not export the private key is selected and then click Next

Fig. 22

Choose the default Export File Format (DER encoded binary X.509) and click Next

Fig. 23

Choose a suitable filename and location for your exported certificate and then click Next and then finish

Fig. 24

You have now exported the public key of your client certificate to a file which you can copy and install on the web server.

# Note – as the certificate I am using here is self-signed I will also need to create the chain of trust for it on the web server. To do this use the same steps we used previously for the client machine. Once this is done you can view the properties of the previously exported client certificate on the web server – notice that this time there is no private key associated with the certificate on the web server

Fig. 25

Next we need to enforce the use of client certificates on the web site. To do this right-click on the web site click Properties and click the Directory Security tab. Under Secure Communications click Edit and select Require client certificates and then Click OK twice.

Fig. 26

Now that we have configured both the client and the server we can go ahead and test the ‘two factor authentication’ mechanism we have configured. If we browse to the secure web site from the client machine we will be prompted for both the client certificate

Fig. 27

and a username and password

Fig. 28

Pages: 1 2 3 4 5 6

This entry was posted on Monday, October 8th, 2007 at 2:24 pm and is filed under IIS 6.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

There are currently 6 responses to “How to Secure a Web Site Using Client Certificate Authentication”

Why not let us know what you think by adding your own comment! Your opinion is as valid as anyone elses, so come on... let us know what you think.

  1. 1 On January 21st, 2009, Rick said:

    Thank you for the quality hard work that you’ve completed on this website. Many of your articles have been very beneficial.

    I am currently working on a project that combines two of your articles.

    1) Use Isapi Redirect to run tomcat through IIS
    2) Use Client Certificates for security in IIS (this one)

    I have been able to successfully complete both of these tasks separately, but have been unable to complete them together. Would there be additional steps needed to complete this task?

    Thank you for any light you can shed.


  2. 2 On May 29th, 2009, Patrick said:

    Thank you, this is great information. It allowed me to get most of the configuration. However, I can not get either to work. I get a Bad Gateway. error 502.


  3. 3 On May 11th, 2010, Marc said:


    Thanks for a great blog. Have you ever configured both client certificate authentication as well as having the certificate passed to a Tomcat app server? What is required to get IIS to send the cert to Tomcat so it can be read from the request?


  4. 4 On December 5th, 2011, Lydon said:

    Very glad I found your guide! But having some issues. Would you consider doing an updated version of this guide for the newer versions of Sever and IIS?

  5. 5 On December 14th, 2011, Eric Belair said:

    I setup client certificate authentication using these instructions, only I did it on one directory, instead of an entire website. However, I am getting a HTTP 403.7 error when I try to request a page in the directory. I have the client cert in my PC store. I noticed that it doesn’t have a private key – is this absolutely essential?

  6. 6 On December 14th, 2011, Eric Belair said:

    Nevermind, I just realized that the cert they gave us is only the public one – they can’t share the private one. So, I have no way to properly test this for now.

Leave a Reply

You must be logged in to post a comment.

  • Calendar

  • March 2018
    M T W T F S S
    « Sep