How to generate an SSL client certificate from a disconnected network?

spoulson picture spoulson · Nov 6, 2008 · Viewed 23.4k times · Source

I have a unique situation where I need to implement client certificate authentication over HTTPS between IE browser and IIS 6. The browser and IIS are separated by a firewall that only allows the browser to connect to IIS on the SSL port.

We have an internal certificate server on the same network as IIS. I've generated an SSL server cert for IIS and that is installed. I configured IIS to only allow SSL, require client certificates.

The limitation here is the browser machine is on a disconnected network, so I can't go to the CA's http://caserver/CertSrv URL and request a client cert like you normally would.

I figured if there were a way that I could generate a CSR against the Root CA's public key, I can copy it to the CA server to generate the client cert. But, there appears to be no provision in IE or the Certificates MMC to do this. The Certificates MMC seems to require a direct connection to the CA.

Has anyone solved this before?

FYI, All servers referenced run Windows Server 2003.

Update: Thanks to Jonas Oberschweiber and Mark Sutton for pointing out the CertReq.exe command line tool. Using this, I've generated a CSR, and consequently a client certificate that installs successfully. However, IE is apparently not sending this client cert when accessing the IIS server in question; it still generates a 403.7 "Forbidden: SSL client certificate is required." I suspect that the reason is that the Subject field of the client cert does not match the user id of the account running IE, thus perhaps not sending a mismatching client cert. The Subject matches that of the user I used to submit the CSR and generate the client cert on the other end of the firewall.

Does the Subject field matter? Is there something else I need to do to enable IE to send this cert?

Answer

J Hunt picture J Hunt · Nov 7, 2008

Use the certreq command on your client as follows

certreq -new -f filein c:\certrequest.req

Here is and example of the filein

[Version] Signature="$Windows NT$"

[NewRequest]
Subject="CN=dc1.extranet.frbrikam.com"
EncipherOnly = False
Exportable = False
KeyLength = 1024
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

[RequestAttributes] CertificateTemplate=TLSServer

Replace the CertificateTemplate with the name of your certificate template

Once you have your request file you need to take it to the certificate authority on a usb stick and use the web enrolment interface as usual to process the request file.

Take the output certificate back to the client open it and click install.