I have .net core web application which runs using kestrel. There we have client certificate authorization, which works fine, but there is one issue, if user have some custom company related client certificates then browser offers big list of client certificates. But we accept only certain certificates.
So question is how to filter out client certificates based on root certificates. I haven't found any way to pass root certificate list to client, i can only validate them after user already selected certificate.
I have seen few websites where browser offers to select only compatible certificates, but as they use different technology it doesn't help much with .net core
Related
I set up a local Intranet site for our company on a new web server running IIS 10. I did this using .NET Core Razor pages where I get the logged on Windows user and grant/deny access based on their User ID being in specific Active Directory groups via SQL ADSI queries.
I issued a self-signed certificate which was working just fine until the recent Chrome update which no longer accepts my self-signed cert. The cert still works in Edge. Most of what I find for Chrome is a work-around telling people to just type, "thisisunsafe", which works but is not a valid solution.
The only other info I can find is advice to get the 3rd party SSL cert, even though all of this is behind our firewall. I did this, and that's not working either.
I don't understand why I can't use a self-signed cert for my own internal site. What is the best practice to manage the security for an Internal company intranet and the cert process needed?
I need to setup client certificate authentication for a web app. I have a POC that works fine, except one thing: I can't figure out how to specify criteria for the client certificate (so that the browser only shows matching certificates when it prompts the user to pick one).
I know it's possible, because I've seen sites that did it, and the TLS RFC mention that the CertificateRequest can contain extensions "describing the parameters of the certificate being requested".
However, I can't find a way to do this with ASP.NET Core. I need to support this on IIS (for hosting in Azure App Service) and, if possible, on Kestrel (for local development).
Is it even possible?
EDIT: To be clear, I'm not asking how to validate the certificate once I received it. I'm asking how to specify which certificate I want (e.g. which CA issued it, etc.) during the TLS handshake.
Now most of the SSL authentication is implemented directly through third-party libraries, suddenly I want to know the two-way authentication, the client and server exactly how to use the information inside their respective certificates for authentication. For example, we have client certificates and server certificates, and we have extracted the contents of both certificates. How can we determine whether the authentication is successful or not?
I have created an asp.net web application and deployed it in IIS10. The design of the application is to require a client certificate for each user which will be provided by us. For testing purposes I created a self-signed certificate using the makecert.exe and followed the instructions at https://blog.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/. I added the certificate in the MMC Personal Certificates.
I also configured the iisClientCertificateMappingAuthentication in the IIS Configuration Editor using the one-to-one mapping approach. When I tested it on the browser, at first it asked for a digital certificate (which is correct), but when I clicked the certificate I added on the bindings it returns an error "Your client certificate is either not trusted or is invalid."
What should be the problem here since the installed client certificate is already added in the IIS one to one mapping configuration? Do I need additional configuration in the IIS?
Does anybody has a WebLogic 8.1 two-way SSL full example?
I am developing a small web application (1 HTML, 1 Servlet, 1 JSP) to send confidential data. The client could be a web browser. The server is WebLogic 8.1.
The information should travel encrypted. Besides, the web application needs to authenticate the client, using more than a username/password combination. I thought implementing using HTTPS and two-way SSL authentication. This way, the user should send me her certificate, I installed in the server, so the web application could know when it is sending information.
Now, I know how to use declarative authorization in a web application, but I am lost on how specify which users I recognize, and which are their certificates.
I just need a full example of this. A .war and/or the steps to do the basic case.
I don't think you'll find a full example easily and the question is a bit broad. But the link your provided is a very good starting point.
First configure Two-Way SSL and use CLIENT-CERT. Clients will need to buy a trusted client certificate or to generate a self-signed certificate that you'll need to add to the server trust store. This may be the hardest part if you're not familiar with PKI but I've added resources at the end of this answer that cover this part. Load the client certificate in each client browsers.
Second, configure an Identity Assertion provider to map the digital certificate of a Web browser to a user in a WebLogic Server security realm. If required, provide your own user name mapper or use the default one (which uses the attributes from the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm).
Third, add users corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate in Weblogic Security Realm and assign them to groups.
Finally, use these groups in your declarative authorizations.
Sure, it won't be that easy if everything is new but that's basically what you need to do. Maybe start to implement it and open more specific questions if you need more guidance.
More resources:
Two-Way SSL in Weblogic for Developers
The Fifteen Minute Guide to Mutual Authentication
Certificate to User Mapping in WebLogic
How to Set Up X509 Certificate Authentication for Oracle WebLogic Server (transposable to WLS 8.1)