Sign in with
Sign up | Sign in
Your question

Requiring clients to have special SSL cert to connect

Last response: in Business Computing
Share
November 23, 2010 1:02:29 PM

Ok. I'm going to try and explain what I want to do as best as I can. I am a self taught computer geek in college studying Finance so I dont know a lot of technical terms.

I setup Server 2008 R2 in a domain setting with my registered domain. I also set up a webserver running https on 443.

While I was at work, I was assigned a responsibility requiring the use of ADP's (a payroll processing company) website. I was assigned a username and password but when I went to go type in the website that management gave me, nothing showed up. Well, ADP had to send me a ssl certificate that I had to import to my computer and then Walla! I could get to the site and use my login credentials to login!

I want to impliment this same process of having to issue a certificate to a specific clients computer so that it can connect to my website.

Any help would be appriciated!
November 23, 2010 7:03:39 PM

Using that infomation, would a client only be able to access my website after I had supplied them with a certificate?

I'm not talking about trying to get an ssl certificate and use it for the site. I already have a ssl cert with godaddy that allows https. What I'm trying to do is a little different.
m
0
l
Related resources
Can't find your answer ? Ask !
November 23, 2010 7:18:26 PM

Ah, you're looking for a CA cert. Certificate Authority cert. Not as easy and it will require some setup.

You'll need to stand up a Certificate Server or install the Certificate Authority on your server. From there you can open up existing certicates, copy the template, assign a role to the cert and then issue it out to clients.

You can access certs on your computer by going to:

MMC
Add/Remove Snap In
Add
Certificates
Use My Computer, take the defaults.
Under Personal.

That is to view your client's cert. But you need to have a certificate authority which can be set to hand out certs based on group membership.
m
0
l
November 23, 2010 7:29:06 PM

Ah yes! Here we go!

Would I be issuing the same cert from my server to my clients or would each cert be specific to the clients computer?
m
0
l
November 24, 2010 12:39:14 PM

Same cert. For example you can create one for the 'client' side to access. You could create one for an 'administrator' as well if you wanted to grant higher access rights to that cert.

That's the fun, but trickty part with certs. Not too many people deal with them because TechNet doesn't really cover much about them because it is hard to explain how they work.

I would start with a single cert and hand it out to everyone you want. If you have AD running in a domain you can publish the cert to the Domain or to a Site. Based on group membership the computers and/or users will get that cert.

Or you could simply email it out to have someone install it locally like you had mentioned previously.
m
0
l
November 29, 2010 4:25:03 PM

On server 2008 r2 do you know how I could do this? I have tried installing the cert roles (wasnt sure which one so i installed all), but I cant figure out how to issue 1 cert to download and email to all users, where I want them to install the cert locally and then have access.

Is there a guide or something? These things are really really confusing!
m
0
l
December 2, 2010 4:02:02 PM

technet.microsoft.com is the best place to look for it.

Create a copy of the template cert, rename it it fit your needs. Follow the technet steps on doing all this and finding the correct template. The cert will be published to Active Directory Sites and Services. The cert, if automatic enrollment is enabled, (you have to check the boxes to determine how to enroll, auto, manual, etc), when a user logs in, or a computer is connected, the cert will be issued under the Personal group, My Computer, or User section.

I'd say check into Technet and you should be able to find some info on it. Certs are one of those areas that are hard to find information on and relaying it in a forum is not the easiest method. Also, a believe there is a MS Press Book out there covering Certificate Authories which would be handy. The vast majority of MS applications will be implementing certificates for use.
m
0
l
!