ASP Object: ClientCertificate

Client|object

ClientCertificate

The ClientCertificate collection obtains validation fields from Web Browser publishing requests (specified by the X.509 standard).

If the Web browser uses the SSL3.0/PCT1 protocol (that is, it uses a URL that starts with a https://instead of a http://) to connect to the server and the server to request authentication, the browser sends the validation field.

If no validation is sent, the ClientCertificate collection returns EMPTY.

The WEB server must be configured to require client authentication before the ClientCertificate collection can be used.

Grammar

Parameters

Key

Specifies the name of the validation field to get. Client-side validation includes the following fields. Value meaning certificate the binary stream string in ASN.1 format, which includes the full validation content. Flags a set of flags that provide additional client authentication information. You can set the following flags:

Cecertpresent-Current client validation.

Ceunrecognizedissuer-the last validation from an unknown publisher on the chain.

Note To use the above flags, you must include the client validation include file in the ASP page. If you are using VBScript, you should include Cervbs.inc. These files are installed in the \inetpub\aspsamp\samples directory.

Issuer a string containing a list of child field values that contains the information that validates the publisher. If the value is specified without a subfield entry, the ClientCertificate collection returns a comma-delimited list of child fields. For example, C=us, o=verisign and so on. SerialNumber A string containing the validated serial number, which is represented by a 16-based ASCII code separated by a hyphen (-). For example, 04-67-f3-02. Subject a string containing a list of child field values that contains subject information about the validation. If the value is specified without a subfield entry, the ClientCertificate collection returns a comma-delimited list of child fields. For example, C=us, o=verisign and so on. VALIDFROM Specifies when validation is valid. This date follows the VBScript format and varies with the country (region) settings. For example, in the United States can be expressed as 9/26/96 11:59:59 PM. VALIDUNTIL specifies when validation expires.

Subfield

Optional parameter used to retrieve a separate field by pressing the Subject or issuer keyword. This parameter is added as a suffix to the key parameter. For example, Issuero or SUBJECTCN. The following table lists some common subfield values. Value meaning c specifies the name of the original country (region). CN specifies the public user name. (This child field is used only with the Subject keyword.) GN Specifies the given name. I specify a set of first letters. • Designation of location. o Specify the name of the company or organization. The name of the OU-specified authority. s specifies the state or province. t specifies the title of this person or organization.

Unlike the values listed in the list above, the value of subfield can be identified by the ASN.1 identity. The format of the ASN.1 identity is a series of numbers separated by periods (.). For example: 3.56.7886.34.

Comments

You can iterate through the ClientCertificate collection by using a keyword loop. This is demonstrated in the following example.

<%for each key in Request.clientcertificate  Response.Write (Key & ":" & Request.clientcertificate (Key) &A mp "

Example

The following example uses the Subject keyword to test whether a client validation exists.

<%if Len (Request.clientcertificate ("Subject")) = 0  

The following example gets the common name of the company that publishes client-side validation.

The following example checks the organization name of a client-side validation topic.

<% If (Request.clientcertificate ("Subject") = "Msft")  

The following example shows when client-side validation expires.

The following example uses the Flags keyword to test whether the publisher of a client-side validation is known. The include command in the first line enables the script to use the named Flag Ceunrecognizedissuer.

<%if request.clientcertificate ("Flags") and Ceunrecognizedissuer Then  

Apply to

Request Object