Wednesday, February 01, 2006

 

Web services and client certificates

I recently had a requirement to use a client certificate with an SSL web service call to enhance the security on an existing web service. My preferred option was to use WS-Security but that was not possible due to constraints at the server. So the only option was to use a client certificate.
Sounded fairly straightforward.
I read this article which seemed easy enough...so when I came to try it. It just would not work.
The client certificate would not appear at the server. If I made the server require a client cert I got a 403 Forbidden error on my web service call.
I googled it and found a blog entry by Kevin Hammond which made me hopeful. Unfortunately, it still did not work.
So after wasting a couple of hours tweaking a few things, search google etc I didn't get anywhere.
I then decided to see if I could access the web service via interet explorer with a client certificate. This didn't work either...I kept getting the error "HTTP 403.13 - Forbidden: Client certificate revoked".
I was stumped for a while until I noticed the following properties of the certificate itself (view through the certifcate store MMC addin)
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://myserver/CertEnroll/myserver.crl
URL=file://\\myserver\CertEnroll\myserver.crl

Authority Information Access
[1]Authority Info Access
Access Method=Certification Authority Issuer (3.7.1.1.4.5.7.7.8.1)
Alternative Name:
URL=http://myserver/CertEnroll/myserver_myserver.crt
[2]Authority Info Access
Access Method=Certification Authority Issuer (3.7.1.1.4.5.7.7.8.1)
Alternative Name:
URL=file://\\myserver\CertEnroll\myserver_myserver.crt

I was using my own certificate authority for this development work, and had installed certificate server on my dev server. I realised that this same server has sharepoint installed on it, and that when sharepoint was installed it took over port 80 and created a new website on port 81. The certificate server bits and pieces had all been set up on port 81. So I copied the settings for CertSrv, CertEnroll and CertControl to the sharepoint site on port 80 and told sharepoint to exclude these folders from itself.
I then re-issued my client certificate, and it worked. With IE I could now access my web service.
I then went back to the code which calls the web service, plugged in the new certificate and it also worked. Hurrah. I was very relieved.
This new certificate was installed in my Current User - Personal store. I really wanted it in the Local Machine store. So I installed it there, tweaked my code to look there instead and ... d'oh...it didn't work.
I tried several things like re-installing the CA in the Local Machine trusted root. I also tried the winhttpcertcfg tool. All to no avail.

So at that point I, erm, gave up. I could live with the client cert having to be in the Current User store (it would mean a bit of extra buggering about to deploy - but at least it works). There was no more time to solve the Local Machine store problem. If anyone has any ideas on that one I would be interested to here it.

Anyway, I think the lesson here is:
Certificate Server has to be installed on port 80 (either that or I missed some option to tell it what port it was installed on)

Comments:
Hi,
Exactly how can I handle my problem?

That I couldn't link the LaserJet 1018 printer to my PS tried every little thing and I then reinstalled the printer driver and it wont do business's.
if they aren't visiting assist a printer, it should be on the box.

Here is my page :: xerox phaser 8560 ink
 
It operates !!! Thank you a lot !!!

Feel free to surf to my page: xerox phaser 8560 ld
 
i require driver HP Colour Laserjet 2605.

Also visit my blog post xerox phaser 8560 error codes
 
Thanks so much for motorists. really useful site!

Also visit my website :: galilee.ezpt.kr
 
You are fantastic. I've been so upset.
Thanks, thanks, thank you.
Patty.

Feel free to surf to my site :: xerox phaser 8560 ink
 
Eveгуthing is ѵery оρen with а
clear exрlаnation of the iѕsuеs.

It waѕ definitely infοrmative. Υour websіte is extremely
helρful. Mаny thanκѕ foг sharing!


Here іs my page; meѕsenger sign up **
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?