How do I create client certificates for local testing of two-way authentication over SSL?

indra picture indra · Jun 14, 2012 · Viewed 73.1k times · Source

I'm trying to set-up two-way authentication on a web app running on IIS7. The clients are going to mostly be mobile devices and in the first instance I'm trying to get a demo running using a 3rd generation iPad. I thought I'd start with getting it running on my workstation (which is also running IIS) first and then copy the working certificate over the the iPad.

However I've hit a wall.

I've got as far as having the site running securely over https and have installed a self-signed server certificate, however I can't seem to figure out how to generate a client certificate which I can install on the iPad. As I'm working on a local workstation running Windows 7 I can't use the usual http://machinename/CertSvr to do this.

So I'm wondering if there a way of getting makecert to generate test client certificates or whether I can change the usage flag in the server certificate to make it suitable for use on the client. Or perhaps there is some tool which the last day of Googling has not yet discovered?

Update:

I found this guide and followed it to the letter. It all seemed to work, no errors, and I ended up with two pfx files, one for the server and one for the client (I generated these using pvk2pfx and kept the original .pvk and .cer files just in case).

I installed the server certificate under Certificates (Local Computer) > Trusted Root Certification Authority and installed the client certificate under Certificates (Current User) > Personal. I have also imported the server certificate (the CA one) into IIS. It all works fine when IIS is configured to accept or ignore client certificates. However once it is set to 'Require' I'm getting a 403.7 when requesting the site. I've also tried importing the client certificate to the certificates store in IE/Chrome but again no dice.

Is there something obvious I'm doing wrong?

Answer

NSjonas picture NSjonas · Oct 18, 2013

Maybe this didn't exist when you asked this question but microsoft now has a GUIDE for doing exactly this. Easy to follow and worked perfectly for me!