Client Certificate for external use

[Neily]

I have a server that several companies external to mine are going to use services we provide on their own web sites.

I've never dealt with Client Certificates before so am in need of some guidance. I have SSL set up and working, but I now am being asked to set up client certificates also.

Our server is a standalone web server running Windows Server 2008 (so its running IIS7) that is not joined to a domain but is accessible via the Internet. It has Certificate Services installed as a standalone CA.

I can't find any information about how these companies would request a client certificate from this server. If I browse to the CertSrv website on the server the only templates available are:

Web Browser Certificate
E-Mail Protection Certificate

Does a CA have to be a member of a domain to issue client certificates?

Would I be better off restricting access via IP?

I believe the idea is that only those with a client certificate can access the web site to use the services we provide.

Hope this is enough information, if not please let me know what else you need to know.

Thanks
Neil

 

[kmcferrin]

You don't want your standalone root CA to be in the DMZ, it should be on a server that is isolated from the rest of the network. By putting it in your DMZ you're opening it up to attack from anyone who can get to your DMZ.

What sort of certificate are you going to use? What is it going to be used for?

________________________________________
CompTIA A+, Network+, Server+, Security+
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[Neily]

sorry for the delay.

The certificates are for other websites to communicate with our 'service' website via API calls and for a client application to also communicate with our web server again via APIs.

I don't know what certificates we'd use... don't really know the differences.

Thanks

 

[58sniper]

Why not just install a trusted certificate and be done with it? They're like $20 a year.

Pat Richard MVP

 

[Neily]

It may turn out to be something we don't do, however, at the moment I'm being told that we will use server & client certificates.

 

[kmcferrin]

If you're using certificates to secure communications between yourself and your clients then you have two options:

1. Use a third party certificate from someplace like Verisign or Thawte.

2. Use certificates signed internally by either your CA, your customers' CAs, or both. In this case you will have to trust their CA and/or vice versa.



________________________________________
CompTIA A+, Network+, Server+, Security+
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[peterve]

for a quick writeup of 2008 based CA functionality, check out my blog at

https://petersblog.dyndns.org:8899/Lists/Posts/Post.aspx?ID=66

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------

https://petersblog.dyndns.org:8899

---------------------------------------------------------------

 

[w33mhz]

I agree with 58Sniper there are lots of places where you can get a 3rd party Cert for pretty cheap its not really worth the hassle. Its cheaper then the windows license for your CA.