Officially issued SSL certificate and self-signed certificate in combination to achieve a two-way authentication site

This is a very interesting experiment.

As you know, certificates issued by some SSL certification authorities are installed on the server side, allowing visitors to access the site through SSL links, and can confirm the site's true address to the visitor. However, if you want to restrict the visitors to your site, you need to verify the certificate that the client owns so that you can establish a secure link. and the organization in the issuance of SSL certificates, there is no matching client certificate, so can not install on the client, it can not open the authentication of the client.

Certificate Services for AD CS can issue server-side SSL certificates or issue client certificates (see above), but server-side SSL certificates issued by AD CS can only bind one domain name, that is, WWW.abc.com or abc.com. Bind one of the domain name, with another domain name access, it prompts the certificate has a problem, not authorized to this domain name, a little uncomfortable.

Today's whim, can the Third-party certification authority issued by the SSL certificate and AD CS issued by the use of the certificate to achieve two-way certification. Start experimenting.

On the server side, the SSL certificate issued by the Third-party organization is first assigned. Import the certificate into the server certificate under Personal. Then import the certificate into the client computer certificate to manage trusted certificates. With IIS settings, the Web site requires an SSL link and chooses not to require a client certificate. This setting, the client with HTTP access will prompt 403 error, when accessing with HTTPS, will establish a secure link, click on "Lock" graphics, will display the certificate details. Indicates that the SSL certificate configuration was successful.

The next step is to reset IIS on the server side, require an SSL link, and require a client certificate. Now when you are accessing with HTTPS, you cannot access it because you do not have a certificate. Prompts for a security certificate to access.

Now, on the server side of the page to access the certificate request, typically localhost/certsrv, requesting a client certificate, after the successful application, to the server browser, and then exported from the server browser, copied to the client computer desktop.

The next step is to import the client certificate to the individual of the certificate on the client. Sometimes it needs to be imported manually into the browser, and on the server side, the client certificate is imported into the trusted certificate.

Ok. Now on the client access, with HTTPS access, the page appears to allow users to select a certificate, select the certificate, confirm that two-way link is established, can normally visit the website.

In addition, if you do not have a pop-up certificate selected page, may be previously visited, or have refused to select a certificate, the next visit may not have a certificate access pop-up box, you can clear the browser cache and re-enter the address access.

A tip: If the client uses HTTP access, and IIS settings must be SSL access, usually a 403 page, now, you can modify the 403 page, so that the URL automatically jump to HTTPS access, it is more friendly. Related Settings method Baidu has.

The one-hour experiment was successful. Be contented and have a cup of tea. Then write the homework assigned by the teacher.