Client Certificate Authentication
Hello, We use client certificate authentication. Client certs are issued by an intermediate CA. When visiting the client cert secured website, the only certs offerred by the browser are those which are issued from a root CA. The intermediate
CA cert is installed on the web server. If we install the intermediate cert on the client, the browser then offers the client cert. Is this correct behavior and if so why??, as I was expecting the client to offer the client cert issued by the intermediate
CA as the web server has both root and intermeidate certs installed Many thanks
August 30th, 2011 5:36pm
yes, this is expected. Certificate selection API displays only valid certificates and which are issued by a trusted authority. Therefore both — server and client must trust given CA certificate.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 9:08am
thanks but I find that a bit confusing since if I have a client certificate (including private key) from a root ca, then it does show up without the root ca cert being present on the client, but a client cert (with private key) issued by a subordinate
CA does not show up.
August 31st, 2011 9:29am
it seems that certificate chaining engine is unable to locate subordinate CA certificate via AIA extension. Since your root CA certificate is explicitly installed on client machines — there are no problems. My thought is that CDP/AIA locations on
subordinate CA is not correctly configured.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 10:56am