1. Technology Knowledge Base - Client Certificate FAQ

2. Overview

Encryption

Authentication


3. CAcert

Client-cert-enabled Systems


To get your client cert from CAcert


How to get multiple email addresses into your client cert from CAcert

  1. Log in to the CAcert website (see Password Login, Certificate Login in previous section)
  2. Select Email Accounts - View
  3. Are all Email addresses defined that you want to add to your Client cert?
  4. If not, add as many Email addresses under Email Accounts - Add to your CAcert account you want to add later into your Client cert
  5. Verify the Email addresses added. Only veryfied Email addresses can be added into a client cert.

To get someone else's CAcert client cert

4. Applications


Email Clients


Web Browser


Gotchas


Instant Messaging (IMs)


OpenSSH


Encryption Applications


Signing Documents


SVN


OpenSSL

5. Modifying software to use client certificates


OpenID


Apache


phpBB (ver 3) discussion forum


Microsoft Internet Information Server 8 on Windows Server 2012

[Apologize for the pictures taken from Czech localized server / IIS manager. An English version was not available.]

Presume the Windows Server 2012 with Microsoft Internet Information Server ver 8 installed.

The first step is to install the CAcert server certificate and certainly also Cacert root certificates onto the server. Server certificates are managed from the web server subtree item in the left pane of the IIS8 Management tool, near the top. After selecting this item the features icons appear in the middle pane. Double click the "Server Certificates" icon. You can then create a CSR in the right pane or actions menu, submit it to CAcert for signing (outside the IIS8 Manager), and then (in the IIS8 Manager again) complete the installation of the certificate received by its connecting with the private key you have generated when making the CSR.

Standard port for the SSL connection is #443. Website operating on the IIS8 server needs to have defined the following binding: HTTPS - server certificate - port (443). You can set this in the properties of the web root item you wish to run, in the "Bindings..." menu. If you want your website accessible with the protocole HTTPS only, define only the binding https (to the standard port 443) and not http (to the standard port 80). Assign the CAcert issued server certificate.

If you wish to permit an access to your website/virtual folder for (in this case) CAcert certificate owners only, who have no account in your system and are thus basically anonymous, you have to permit anonymous access to the websites/virtual folders intended for them. You can do this in the item (under the icon) "Authentication". The (CAcert) client certificate will be sufficient for their successful access.

If you wish to give an access for users, who:

it is not an anonymous access anymore. So the anonymous access should be forbidden both for the whole website and for its virtual folders intended for those users. Thus, prohibit the anonymous access to such websites/virtual folders via the "Authentication" item, and permit the "Windows authentication" only. Those users will have to provide a client certificate, and then login with their username and password.

Last step: open the "SSL settings" icon both in the web root item and its directories items, where:

  1. mark the "SSL protocol required" box, and
  2. select "Require" client certificates on the radio buttons.

    SSL settings - icon SSL settings - window

The web server is ready now. If you access it as an user with a client web browser which:

  1. Will use the https protocol,
  2. Have the CAcert root certificates installed,
  3. Your client certificate issued by CAcert is valid, not expired (you may have several certificates),

the server will request the valid certificate(s), with which the client may submit (certificates issued by the same CA - in this case CAcert - which has issued used server certificate, too). A browser dialog window appears, where you have to select and/or confirm your relevant client certificate. If you select a certificate issued by the same CA as the server certificate of the web server, and if this user client certificate is valid, and if the list of its purposes includes the login with this certificate (show your identity to the remote computer), then you will successfully login to this web server.

In all other cases an error message will be displayed - the access to the server is denied.

Trying to access with the HTTP protocol (without the SSL) an error message appears - this page cannot be displayed. The reason is, that the "http - port 80" binding (voluntarily) does not exist.

Enable Client Certs for .project


6. FAQ and Misc - Client Cert Troubleshooting


My IE is showing error code number "-2146885628" (or similar)


"Where is my private key? How do I use it on another computer?"


Renew Client Certs under FF

Where is the PKCS12 file? - I only have the PEM file that says its for smartcard only


"Windows does not have enough information to verify this certificate"


My cert is in the browser but not my email client - what now?


How to enable Client Cert authentication in your Web-Applications


I want to use Class3 Cert under older Windows System

iOS won't let me select CAcert client certificates for e-mail signing / encryption

7. How can I use Client Certificates like SSH?


8. Further References


9. Inputs & Thoughts